METHOD FOR ANALYZING THE COMPUTER RISK OF A NETWORK OF INTEREST RELATED TO EXCHANGES WITH AT LEAST ONE THIRD-PARTY NETWORK

FR3135336B1Active Publication Date: 2026-06-26SERENICITY

Patent Information

Authority / Receiving Office
FR · FR
Patent Type
Patents
Current Assignee / Owner
SERENICITY
Filing Date
2023-04-13
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

Existing methods for detecting IT risks in networks with unknown security levels generate excessive alerts, degrading their relevance and requiring manual filtering, especially in multi-network environments.

Method used

A method to analyze network traffic by comparing captured flows against a database of toxic IP addresses, identifying potentially harmful flows, and transmitting alerts only when necessary, using decoy servers to update the database and incorporating firewall logs for comprehensive risk assessment.

Benefits of technology

Effectively reduces unnecessary alerts while maintaining relevance by identifying and prioritizing critical IT risks across multiple networks, enabling timely administrative action.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 00000016_0000
    Figure 00000016_0000
  • Figure 00000016_0001
    Figure 00000016_0001
  • Figure 00000016_0002
    Figure 00000016_0002
Patent Text Reader

Abstract

The invention relates to a method for analyzing the IT risk of a network of interest (20) directly or indirectly exchanging network flows with at least one third-party network (30, 40, 50), comprising the following steps: - retrieval of network flows captured by at least one firewall (32, 42, 52) belonging to at least one third-party network; - comparison of the destination and origin internet addresses of each retrieved network flow with at least one database of toxic internet addresses (64); each network flow incorporating at least one destination or origin internet address stored in said database of toxic internet addresses corresponding to a toxic flow; and - identification, for each toxic flow, of the nature of the risk in order to determine whether each toxic flow presents a risk to the network of interest or to one of said at least one third-party network. Figure 2.
Need to check novelty before this filing date? Find Prior Art

Description

Title of the invention: METHOD FOR ANALYZING THE INFORMATION RISK OF A NETWORK OF INTEREST RELATED TO EXCHANGES WITH AT LEAST ONE THIRD-PARTY NETWORK Scope of the invention

[0001] The invention relates to a method for detecting IT risks that could arise on a network of interest due to network traffic exchanged between this network of interest and at least one third-party network, whose level of IT security is not necessarily known. For example, the network of interest may be a company, government agency, or university network, and the third-party network may be the network of a direct or indirect subcontractor, or an organization collaborating with the company, government agency, or university.

[0002] The network of interest may also correspond to the network of an operator or the network of a security solution provider. In this case, the method can be used to detect the propagation of toxic flows. State of the art

[0003] Nowadays, many organizations have effective IT security policies. However, other organizations do not always have the financial resources, the interest, or even the motivation to ensure minimum IT security. Yet, the increasing collaboration between organizations necessitates a large number of exchanges between companies, government agencies, and universities. During these exchanges, organizations using strict IT security policies are concerned about the resilience of their subcontractors' or partners' information systems against cyberattacks.

[0004] Moreover, with the deployment of advanced computer security tools, hackers are increasingly using indirect methods to attack an information system by propagating attacks across multiple networks.

[0005] Within the scope of the invention, it is possible to distinguish two types of networks: the network of interest and third-party networks. The network of interest typically corresponds to the network of an organization using a strict IT security policy and for which a network administrator wishes to assess the IT risk associated with exchanges with external networks, known as third-party networks. These third-party networks typically correspond to the computer networks of direct or indirect subcontractors or collaborators.

[0006] Alternatively, in the context of detecting the propagation of toxic flows, the network of interest typically corresponds to an operator network or a provider network of security solution. Third-party networks then correspond to the networks of clients of the operator or the security solution provider.

[0007] To analyze the IT risk of a network, the applicant company offers devices called "Detoxio," "Probio," and "Cymealog," which incorporate a monitoring system for incoming and outgoing network traffic from each device to and from the Internet. As described in patent FR2006068, by comparing the IP addresses of the network traffic with a database containing a list of toxic IP addresses, it is possible to detect toxic network traffic.

[0008] This database containing a list of toxic IP addresses can be obtained by an IP address capture solution using decoy servers, as described in patent FR1852752.

[0009] Next, a vulnerability score for each device is calculated by applying a factor of ten to the toxic outgoing flows relative to the toxic incoming flows. This vulnerability score makes it possible to identify and classify the IT risk associated with each device on a network.

[0010] This innovation could be deployed directly on all third-party networks connected to a network of interest so that a network of interest administrator could verify that the third-party networks present a limited IT risk. However, with this solution, the network of interest administrator would receive a large number of alerts, particularly when the network of interest is connected to several third-party networks.

[0011] Alternatively, this innovation could be deployed on all third-party networks connected to the same operator or the same security solution provider in order to visually alert and / or inform the networks concerned by a computer attack.

[0012] The technical problem of the invention therefore consists of providing an alert to an administrator of a network of interest concerning the computer risk linked to at least one third network connected to the network of interest, while limiting the number of alerts and without degrading the relevance of the alerts.

[0013] The technical problem of the invention can therefore also consist of providing an alert to several third-party networks belonging to the same operator or the same security solution provider. This alert can contain several pieces of information, such as the type of attack, the extent of the propagation, and the vectors of this propagation. This information can be transmitted to each third-party network affected by this attack and to the operator or the security solution provider. Description of the invention

[0014] To solve this technical problem, the invention proposes to detect the toxic flows generated on each third-party network connected to the network of interest and to analyze the nature of toxic flows detected in order to transmit an alert only to an administrator of the network of interest when toxic flows detected are potentially harmful to the network of interest.

[0015] For example, if a third-party network suffers a denial-of-service attack on its website, this type of computer attack is detrimental to the commercial activities of the third-party network, but does not call into question the computer security of the network of interest.

[0016] On the contrary, if the third-party network suffers an attack by remote control of a workstation and that workstation is commonly used to exchange information with the network of interest, this type of attack may present a computer risk detrimental to the network of interest.

[0017] To limit such a computer risk, an administrator of the network of interest may require the administrators of third-party networks to transmit to him, or to a trusted third party such as the applicant company, the network traffic captured by their firewalls. These firewalls are commonly referred to as "firewalls" in English-language literature.

[0018] In another example, if a third-party network is subjected to a remote takeover attack on a workstation and that workstation is used for exchanges between third-party networks belonging to the same operator or the same security solution provider, then this type of attack can spread to several other third-party networks and thus create a propagation of the toxic flow.

[0019] The invention proposes to analyze network flows captured by third-party network firewalls, to detect toxic flows among all these network flows and the nature of the exchanges associated with these toxic flows in order to detect potentially harmful toxic flows for the network of interest.

[0020] Thus, the invention makes it possible to alert an administrator of the network of interest in the event that a computer attack detected on a third-party network may affect the security of the network of interest.

[0021] For the purposes of this invention, a toxic flow corresponds to a flow originating from or destined for a toxic IP address, that is, an IP address referenced in a database and associated with a hacker or presenting a high vulnerability risk. This database is typically compiled and regularly updated by IT security professionals. It can be periodically downloaded and stored internally or accessed on an external platform. This database is preferably obtained through decoy servers that capture toxic IP addresses, as described in French patent FR 1852752.

[0022] The present invention proposes a method for analyzing the IT risk of a network of interest exchanging network flows directly or indirectly with at least one third-party network per risk analysis related to the information system of said at least one third-party network, comprising the following steps: - retrieval of at least one network stream captured by at least one firewall belonging to at least one third-party network; each network stream containing destination and source internet addresses; - comparison of the destination and source internet addresses of each retrieved network flow with at least one database of toxic internet addresses; each network flow incorporating at least one destination or source internet address stored in said database of toxic internet addresses corresponding to a toxic flow; and - identification, for each toxic flow, of the nature of the risk in order to determine if each toxic flow presents a risk to the network of interest or at least one third network.

[0023] Thanks to these provisions, risks can be identified in a simple and effective way on third-party networks, which allows the administrators of the network of interest to take the necessary measures to prevent these risks from spreading there.

[0024] The step of recovering at least one network flow may include sending by said firewall at least one control file to a network analysis device of the network of interest or of the network of a trusted third party, said control file containing said destination and origin internet addresses; which is a simple and effective way of implementing the invention.

[0025] Said at least one control file may further comprise at least: - a direction of traffic flow; - a communication protocol; - a TCP / IP port number used for the connection; and - a timestamp of the network flow, for example the start and end date and time of the network flow.

[0026] This information can then be used to identify the nature of the corresponding risk as precisely as possible.

[0027] Preferably, said database of toxic internet addresses is obtained at least in part by using at least one decoy server. This makes it possible to quickly gather a large number of toxic internet addresses.

[0028] The step of identifying the nature of the risk can help identify a risk related to: - a "brute force" type attack, if a certain number of toxic flows are detected in time intervals below a threshold, and / or - a "compromise" type attack, if said toxic flow connects a system outside of its usual operating hours.

[0029] Since these attacks are particularly common on the internet network, the invention makes it possible to quickly identify them with easily accessible information.

[0030] The step of identifying the nature of the risk may include the use of known information on at least one internet address linked to said toxic flow and stored in said database of toxic internet addresses, this information relating for example to a certain type of attack; which makes it possible to improve the accuracy of the identification of the nature of the risk.

[0031] The step of identifying the nature of the risk may include the following sub-steps: - determination of the risk of propagation based on an identified type of attack, - if a high-risk propagation attack is identified, analysis of the propagation level by considering the number of internet addresses that have suffered an attack of the same nature from a single internet address.

[0032] Analysis of the propagation level allows network administrators to pay closer attention to attacks with a high propagation level, and for example to take defensive actions more quickly.

[0033] Said IT risk analysis method may further include the following steps: - storing each toxic network flow in a toxic flow file; - for each toxic flow that does not present any risk to the computer security of the network of interest or of at least one third network, removal of said toxic flow from the toxic flows file.

[0034] This allows for the retention of traces of toxic flows for further analysis or to gather evidence of the attack. The file can be cleaned to remove flows for which the identified risk is considered negligible or nonexistent. The retention of these traces can also be used for post-incident analysis to understand which flow carried the viral payload and to implement countermeasures to prevent the incident from recurring.

[0035] Said IT risk analysis method may further include the following step: - for each toxic flow presenting a risk to the computer security of the network of interest or of at least one third network, transmission of an alert to an administrator of the network of interest or to a trusted third party.

[0036] This allows the administrator to quickly take the measures required by the risk.

[0037] Said IT risk analysis method may further include the following step: - configuration of an interface by the administrator of the network of interest or by the third party trusted, allowing the selection of at least one type of risk relevant to the IT security of the network of interest or of at least one third-party network; - for each toxic flow identified as corresponding to a type of risk selected in the previous step, transmission of an alert to the administrator of the network of interest or to the trusted third party.

[0038] This allows the administrator not to be alerted when the identified risk is considered by him to be not important, and thus to concentrate on the important risks. Brief description of the figures

[0039] The manner of implementing the invention and the resulting advantages will become clear from the following embodiments, given by way of example but not limitation, with support from the figures in which:

[0040] [Fig-1] Fig. 1 is a schematic view of a first example of architecture network in which the invention can be implemented;

[0041] [Fig.2] The [Fig.2] is a schematic view of the architecture of the [Fig.1], with the addition of a trusted third party to which the toxic flows are sent;

[0042] [Fig.3] The [Fig.3] is a schematic view of a first embodiment of the computer risk analysis method according to the invention;

[0043] [Fig.4] The [Fig.4] is a schematic view of a second example of network architecture in which the invention can be implemented;

[0044] [Fig. 5] [Fig. 5] is a schematic view of the architecture of [Fig. 4], supplemented by a trusted third party to which the toxic flows are sent; and

[0045] [Fig.6] The [Fig.6] is a schematic view of a second embodiment of the computer risk analysis method according to the invention. Detailed description of the invention

[0046] Figure 1 illustrates an example of a network architecture in which the invention can be implemented. In this example, several networks 20, 30, 40, and 50 communicate with each other. More specifically, network 20 exchanges network flows with networks 30 and 40, while network 50 exchanges network flows with network 40. Network 20 may correspond to the network of a large company, while networks 30 and 40 are the networks of direct subcontractors of this large company, and network 50 is a network of an indirect subcontractor. For the purposes of the invention, network 20 corresponds to the network of interest, while networks 30, 40, and 50 are third-party networks, direct or indirect.

[0047] For example, the tier network 30 may correspond to the network of a service provider in charge of managing the various printers of the network of interest 20, in particular to remotely deploy updates to them.

[0048] To do this, the provider uses a server 31 of the third-party network 30 to connect to a device 24 of the network of interest 20. The invention aims in particular to verify that a computer attack carried out on the third-party network 30 cannot lead to a vulnerability of the network of interest 20 via the existing network flows linked between the third-party network 30 and the network of interest 20.

[0049] The third-party network 40 may correspond to the network of a service provider in charge of managing the telephone sets 25 of the different offices of the network of interest 20.

[0050] To do this, the provider uses a server 41 of the third-party network 40 to connect to the telephone sets 25 of the network of interest 20.

[0051] The invention also aims to verify that a computer attack carried out on the tier network 40 cannot lead to a vulnerability of the network of interest 20 via the existing network flows linked between the tier network 40 and the network of interest 20.

[0052] The tier network 50 can correspond to the network of a service provider in charge of managing air conditioning systems 44 connected to the tier network 40. To do this, network flows 11b are generated between a server 51 of the tier network 50 and the air conditioning systems 44 of the tier network 40. With regard to indirect tier networks, the invention can also be implemented to verify that a computer attack carried out on the tier network 50 cannot lead to a vulnerability of the tier network 40 and propagate the vulnerability to the network of interest 20, via the network flows 11b and 11b.

[0053] Furthermore, each tier network 30, 40, and 50 is protected by a dedicated firewall 32, 42, and 52, typically managed by several separate network administrators. These firewalls 32, 42, and 52 incorporate control files 33, 43, and 53 that allow for tracing a history of network flows lia, 11b passing through the firewall. These control files 33, 43, and 53 are also referred to as "logs" in English-language literature.

[0054] As illustrated in [Fig. 2], the firewalls 32, 42, and 52 of the third-party networks 30, 40, 50 are further configured to transmit their control files 33, 43, 53. These control files 33, 43, 53 can be transmitted to an administrator of the network of interest 20 or to a trusted third party. To do this, a secure direct message 12a can be transmitted between the firewalls 32, 42 and an analysis unit 61 of a network 60 of the trusted third party.

[0055] For the indirect third-party network 50, the firewall 52 can be configured to transmit the control file 53 directly to the trusted third party 60, or indirectly through an administrator of the third-party network 40 to which it is connected.

[0056] In the example of [Fig.2], a secure message 12b is transmitted between the firewall 52 and an analysis device 61 of a network 60 of the trusted third party via the third-party network 40.

[0057] More specifically, this analysis unit 61 scans the control files 33, 43, 53, detects toxic flows among all the network flows present in these control files 33, 43, 53 and searches for the nature of the exchanges associated with these toxic flows in order to detect toxic flows potentially harmful to the network of interest 20.

[0058] When at least one potentially harmful toxic flow to the network of interest 20 is detected, the analysis unit 61 generates an alert 13 to an administrator of the network of interest 20. This alert 13 may contain contextualized information according to the needs of the administrator of the network of interest 20.

[0059] An example of implementing the IT risk analysis method is described with reference to [Fig. 3]. In a first step 100, the trusted third party or an administrator of the network of interest 20 retrieves the network flows captured by at least one firewall 32, 42, 52 belonging to a third-party network 30, 40, 50, for example by receiving the control files 33, 43, 53 from the firewalls 32, 42, 52. These control files 33, 43, 53 typically contain a set of network flows with, for each network flow, at least: - a source IP address; - a destination IP address; - a direction of traffic flow; - a type of port used for the connection; and - a timestamp of the network flow, typically the start and end date and time of the network flow.

[0060] When network flows from third-party networks are retrieved, each destination and source IP address is compared, one by one, to the database containing toxic IP addresses 64, in a step 101. Each network flow linked to a toxic IP address is then stored in a toxic flow file 63 integrating, for each period of time, for example for each day or for each hour, all the toxic flows.

[0061] Next, in a step 102, the identification of the nature of the risk is carried out to detect whether each toxic flow presents a risk to the computer security of the network of interest 20 or simply to the computer security of a third network 30, 40, 50.

[0062] In the context of the present invention, the notion of "type" or "nature" of risk may refer to the types of risks used in indicators of compromise or "IOC" as formalized for example in the STIX® language, or to the types of risks listed in the CVE dictionary maintained by the MITRE organization.

[0063] To do this, the analysis unit 61 attempts to characterize each type of computer attack on the basis of scenarios using information obtained from the flows toxic substances detected.

[0064] For example, a "brute force" type attack can be characterized when several toxic flows are detected in very close time intervals, typically if the same toxic IP address has communicated with the same attacked IP address more than two hundred times in the same day.

[0065] Furthermore, the attack times can be used as an indicator to characterize "compromise" type attacks, for example, the compromise of a door locking system. Typically, if a toxic IP address communicates with a door locking system outside of normal hours, then the analysis organ 61 can categorize an attack as a "compromise" type.

[0066] It is also possible to use known information about the detected toxic IP address, possibly present in the toxic IP address database 64, such as the type of attack generally associated with that detected toxic IP address. This information, also called indicators of compromise, or "IOCs," can be integrated into the toxic IP address database or accessed on an external server. The known information may also include entries from the "CVE" dictionary, which can be integrated into the toxic IP address database 64. For example, if it is known that the detected toxic IP address is based on a military complex, it is possible to characterize the type of cyberattack as a "military" attack.

[0067] According to another example, if it is known that the detected toxic IP address hosts a command and control server for a malicious data encryption program, also known as "command-and-control" in the Anglo-Saxon literature, then it is possible to characterize the type of computer attack as a "command center" type attack.

[0068] Furthermore, the ports used for the attacks can also help to characterize the type of attack. Typically, TCP / IP port "22" corresponds to the SSH port, or "Secure Shell" in the Anglo-Saxon literature.

[0069] This port “22” is used to take control of remote machines. Thus, if a hacker manages to take control of a device on a third-party network 30, 40, 50, it is possible to characterize the type of computer attack as a “Trojan horse” attack.

[0070] Thus, a large number of scenarios can be implemented to characterize each type of computer attack.

[0071] Using this characterization, a large number of computer attacks can be removed from the toxic stream file 63 because they are not potentially harmful to the network of interest 20.

[0072] For toxic flows potentially harmful to the network of interest 20, a Alert 13 can be transmitted to the administrator of the network of interest 20, in a step 103. To limit the number of alerts received, the administrator of the network of interest 20 can have an interface allowing them to select the types of attack, for example "brute force", "compromise", "ransomware", "military", "masked", "command center" and "Trojan horse", for which they wish to receive an alert 13.

[0073] Thus, if a "brute force" type attack is characterized in step 102 and the administrator does not wish to receive this type of information, then no alert will be transmitted to the administrator of the network of interest 20.

[0074] This alert 13 can take different forms depending on the needs of the administrator of the network of interest 20. For example, alert 13 can be displayed on a map using the geolocation of the detected toxic IP address, the attacked IP address, or an IP address of the network of interest 20 that communicated with the attacked IP address. Furthermore, each alert 13 can have a different form depending on the nature of the attack.

[0075] Thus, upon receiving alert 13, the administrator of the network of interest 20 can easily see the third-party networks 30, 40, 50 directly or indirectly attacked, the type of attack that these networks have suffered and the direction of traffic flow of these attacks.

[0076] In conclusion, the invention makes it possible to provide an alert 13 to an administrator of a network of interest 20 concerning the IT risk associated with at least one third-party network 30, 40, 50 connected directly or indirectly to the network of interest 20. Furthermore, the invention also proposes to limit the information transmitted to the administrator of the network of interest 20 so as to transmit only relevant alerts 13. By receiving one or more IP addresses of the network of interest 20 for which there is an IT risk, the administrator can take appropriate action. For example, they can conduct investigations and possibly disconnect a device from the network.

[0077] The example in [Fig.4] illustrates a network architecture in which the invention can be implemented to detect the propagation of toxic fluxes.

[0078] In this example, several networks 30, 40 and 50 correspond to third-party customer networks belonging to the network of an operator or to the network of a security solution provider 20. Thus, the network 20 illustrated in [Fig.4] does not correspond to a physical network but to several remote networks which use a similar box from the same operator or which integrate a hardware and / or software device from the same security solution provider. For tier networks 30, 40, 50, network flows (lia) are emitted to access the internet, for example, to access a server 71 on the external network 70. More precisely, when a server 31, 41, 51 belonging to a tier network 30, 40, 50 wants to access the internet, a network flow (lia) traverses a firewall 32, 42, 52 of the tier network 30, 40, 50 as well as an operator's box 22 or a device 22 hardware and / or software from a security solution provider.

[0079] As illustrated in [Fig.5], a trusted third party or a network administrator 20 can retrieve the control files 33, 43, 53 from the firewalls 32, 42, 52 of the third-party networks 30, 40, 50 or capture these network flows at the level of the boxes or devices 22.

[0080] To this end, as described above, a direct secure message 12a can be transmitted between the firewalls 32, 42, 52, 72 and an analysis unit 61 of a network 60 of the trusted third party. Furthermore, one or more external networks 70 can also transmit their control files 73 of the firewalls 72 in a secure message 12c.

[0081] This analysis unit 61 scans the control files 33, 43, 53, and 73, detects toxic flows among all the network flows present in these control files 33, 43, 53, and 73, investigates the nature of the exchanges associated with these toxic flows, and characterizes the toxic flows propagated in the third-party networks 30, 40, and 50. When at least one toxic flow propagated in the third-party networks 30, 40, and 50 is detected, the analysis unit 61 generates an alert 13 for the administrator of the network of interest 20 and, if applicable, the administrators of the third-party networks 30, 40, and 50 affected by this propagated attack. This alert 13 may contain contextualized information according to the needs of the administrator of the network of interest 20.

[0082] An example of implementing the method for detecting the propagation of toxic flows is described with reference to [Fig. 6]. In a first step 110, the trusted third party or an administrator of the network of interest 20 retrieves the network flows captured by at least one firewall 32, 42, 52 and 72 belonging to a third-party network 30, 40, 50, or to an external network 70. For example, by receiving the control files 33, 43, 53, 73 from the firewalls 32, 42, 52, 72. These control files 33, 43, 53, 73 typically contain a set of network flows.

[0083] In a step 111, in the same way as in step 101 of [Fig.3], when the network flows from third-party networks are retrieved, each destination and source IP address is compared, one by one, to the database containing toxic IP addresses 64. Each network flow linked to a toxic IP address is then stored in a toxic flow file 63 integrating, for each period of time, for example for each day or for each hour, all the toxic flows.

[0084] Next, in a step 112, the identification of the nature of the risk is carried out to determine whether each toxic flow presents a risk of propagation in the network of interest 20 or simply for the computer security of a third network 30, 40, 50.

[0085] To this end, the analysis unit 61 attempts to characterize each type of computer attack based on scenarios using information obtained from detected toxic flows, such as the ports used for the attacks or the timestamp and data volume of the attacks. These scenarios make it possible to identify attacks with a high risk of propagation and attacks with a low risk of propagation. At the end of this step 112, attacks with a low risk of propagation are removed from the toxic stream file 63.

[0086] Step 113 then aims to characterize whether these remaining attacks in the toxic stream file 63 have actually propagated throughout the network of interest 20. To do this, component 61 checks whether the toxic IP addresses of the various remaining attacks in the toxic stream file 63 have targeted several different attacked IP addresses. If so, propagation of an attack is characterized if several attacked IP addresses have suffered an attack of the same type originating from the same toxic IP address.

[0087] A propagation is therefore defined by a grouping of toxic flows comprising a toxic IP address, a type of computer attack, and a list of attacked IP addresses.

[0088] To more precisely identify the propagation, it is possible to classify the toxic flows according to their timestamps. The toxic flow with the oldest timestamp can therefore be identified as the entry point for the attack propagation. From all the toxic flows, it is also possible to characterize the type of propagation: point-to-point if the timestamps are successive, or multicast if several simultaneous attacks are detected at very close time intervals and targeting a large number of attacked IP addresses.

[0089] Following the characterization of the propagation, an alert can be issued to the administrator of the network of interest 20 and to the administrators of the tier networks 30, 40, and 50, in step 114. The alert can take the same form as the alert defined in [Fig. 3] by adding a visual representation of the propagation of the toxic flow across the different networks concerned. For example, a chronological representation of the propagation based on the timestamps of the toxic flows, the geolocation of the attacked IP addresses, and the toxic IP address of each propagation can be generated.

[0090] Thus, upon receiving alert 13, the administrator of the network of interest 20 and the administrators of the third-party networks 30, 40, 50 can easily identify the third-party networks 30, 40, 50 that were attacked, the type of attack that these networks suffered, and the nature and speed of the propagation.

Claims

Demands

1. A method for analyzing the IT risk of a network of interest (20) directly or indirectly exchanging network flows (lia, 11b) with at least one third-party network (30, 40, 50, 70) by analyzing the risk related to the information system of said at least one third-party network (30, 40, 50, 70), comprising the following steps: - retrieval (100, 110) of at least one network flow (lia, 11b) captured by at least one firewall (32, 42, 52, 72) belonging to at least one third-party network (30, 40, 50, 70); each network flow (lia, 11b) containing destination and source internet addresses; - comparison (101, 111) of the destination and origin internet addresses of each network flow (lia, 11b) retrieved with at least one database of toxic internet addresses (64); each network flow (lia, 11b) incorporating at least one destination or origin internet address stored in said database of toxic internet addresses (64) corresponding to a toxic flow;and - identification (102, 112), for each toxic flow, of the nature of the risk in order to determine whether each toxic flow presents a risk to the network of interest (20) or at least one third network (30, 40, 50, 70).

2. A computer risk analysis method according to the preceding claim, wherein the retrieval step (100, 110) of at least one network flow (lia, 11b) comprises the sending by said firewall (32, 42, 52, 72) of at least one control file (33, 43, 53, 73) to an analysis device (61) of the network of interest (20) or of the network of a trusted third party (60), said control file (33, 43, 53, 73) containing said destination and origin internet addresses.

3. A computer risk analysis method according to the preceding claim, wherein said at least one control file (33, 43, 53, 73) further comprises at least: - a traffic direction of the flow; - a communication protocol; - a TCP / IP port number used for the connection; and - a timestamp of the network flow, for example the start and end date and time of the network flow.

4. A method for analyzing computer risk according to any one of the preceding claims, wherein said address database toxic internet (64) is obtained at least in part through the use of at least one decoy server.

5. A computer risk analysis method according to any one of the preceding claims, wherein the risk nature identification step makes it possible to identify a risk related to: - a "brute force" type attack, if a certain number of toxic flows are detected in time intervals below a threshold, and / or - a "compromise" type attack, if said toxic flow puts a system into communication outside of its usual operating hours.

6. A computer risk analysis method according to any one of the preceding claims, wherein the step of identifying the nature of the risk includes the use of known information about at least one internet address linked to said toxic flow and stored in said toxic internet address database (64), this information relating for example to a certain type of attack.

7. A computer risk analysis method according to any one of the preceding claims, wherein the risk nature identification step comprises the following substeps: - determination (112) of the propagation risk based on an identified attack type; - if a high-risk propagation attack is identified, analysis (113) of the propagation level by considering the number of internet addresses that have suffered an attack of the same nature from a single internet address.

8. A computer risk analysis method according to any one of the preceding claims, wherein the method further comprises the following steps: - storing each toxic network flow in a toxic flow file (63); - for each toxic flow that does not present any risk to the computer security of the network of interest or of at least one third network, deleting said toxic flow from the toxic flow file (63).

9. A method for analyzing IT risk according to any one of the preceding claims, wherein the method further comprises the following step: - for each toxic flow presenting a risk to IT security- network format of the network of interest or of at least one third network, transmission of an alert to an administrator of the network of interest or to a trusted third party.

10. A computer risk analysis method according to claim 9, wherein the method further comprises the following steps: - configuration of an interface by the administrator of the network of interest or by the trusted third party, allowing the selection of at least one type of risk relevant to the computer security of the network of interest or of one of said at least one third-party network; and - for each toxic flow identified as corresponding to a type of risk selected in the previous step, transmission of an alert to the administrator of the network of interest or to the trusted third party.