Patent Grant
11611570
The present application is a National Phase entry of PCT Application No. PCT/EP2017/083624, filed Dec. 19, 2017, which claims priority from European Patent Application No. 16207657.4, filed Dec. 30, 2016, each of which is fully incorporated herein by reference.
The present disclosure relates to the detection of a network attack data in a network-connected computer system.
Secure data such as sensitive, protected, private or confidential data stored in or by a network-connected computer system is susceptible to access and/or disclosure to an untrusted environment such as the public internet. Such access or disclosure can occur intentionally or unintentionally and is known as a data breach, information disclosure, data leak or data spill. A data breach may not be identified by a data owner or other entity responsible for or interested in the data and appropriate protective, remediative or responsive actions will generally not take place until a data breach is detected, leading to periods of exposure where data that is thought to be secure actually is not.
Thus, there is a need to detect a data breach when it has occurred.
The present disclosure accordingly provides, in a first aspect, a computer implemented method to generate a signature of a network attack for a network-connected computing system, the signature including rules for identifying the network attack, the method comprising generating, at a trusted secure computing device, a copy of data distributed across a network; the computing device identifying information about the network attack stored in the copy of the data; and the computing device generating the signature for the network attack based on the information about the network attack so as to subsequently identify the network attack occurring on a computer network.
In some embodiments the information about the network attack includes at least a portion of code or script for carrying out the network attack and the signature identifies the network attack based on the portion.
In some embodiments the information about the network attack includes at least a portion of data obtained by the network attack and the signature identifies the network attack based on characteristics of the obtained data.
In some embodiments the characteristics of the obtained data include: one or more of an identification of, data type of, number of and order of data fields in the data; metadata associated with the data; and/or the content of the data.
The present disclosure accordingly provides, in a second aspect, a computer system including a processor and memory storing computer program code for performing the methods set out above.
The present disclosure accordingly provides, in a third aspect, a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the methods set out above.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the accompanying drawings, in which:
In the arrangement of
The availability of at least a portion of the sensitive information 212 as data dump 204 thus constitutes a data breach. The trusted secure computing device 220 is operates and is operated in a trusted and secure manner such that its processing and data is protected from disclosure such as via the network 200. The trusted secure computing device 220 generates a copy of the data dump 204 accessible to the device 220. The copy 222 can be whole or partial. The trusted secure device 220 further includes a searcher 224 component as a hardware, software, firmware or combination component adapted to access the sensitive information 212 and search for any part of the sensitive information 212 in the data dump copy 222. Preferably the trusted secure computing device 220 is operated in a mode whereby the trusted secure device 222 is disconnected from the network 200 while the device 222 accesses the sensitive information 212 so as to preclude data breach of the sensitive information 212 via the network 200. Further, preferably the searcher 224 of the trusted secure computing device 220 accesses the sensitive information 212 other than via the network 200 such as via a separate, private, secure and trusted communication means between the trusted secure computing device 220 and the sensitive information 212. Alternatively, the sensitive information 212 can be encrypted or otherwise protected for communication to or access by the trusted secure computing device 220.
Thus, the trusted secure computing device 220 is operable to identify any portion of sensitive information 212 in the data dump copy 222 and thus in the data dump 204. Accordingly, the trusted secure device 220 detects a data breach where sensitive information 212 is included in the data dump 204. Where a positive determination of a data breach is made by the trusted secure device 220 responsive and/or remedial measures can be implemented.
Where a data breach of some portion of sensitive information 212 is known to have occurred, the sensitive information 212 can be identified as disclosed, breached, discredited and/or invalidated. For example, where the sensitive information is authentication, authorization, access control or other security information such a passwords, keys, identification information and the like, such information can be invalidated and resources normally accessed or protected by such information can be terminated, disconnected, enter an elevated security state, be further protected and/or removed from network access until trust can be resumed.
Further, where the computing system 210 is associated with the sensitive information 212 and includes, controls or operates with computer services for generating, accessing and/or processing the sensitive information 212, a positive determination of a data breach of sensitive information 212 can result in the implementation of protective measures in respect of the computing system 210 or computing services executing, operating or running thereon or therewith.
Some causes of data breach include malicious attacks on the network-connected computer system 210 and the unauthorized access or retrieval of at least some portion of the sensitive data 212. Such attacks can be caused by malicious software and/or users operating via the network 200 including: malicious network communication; malicious scripts; malicious executable code; malicious database queries; exploitation of computing service vulnerabilities; and other types and means of attack as will be apparent to those skilled in the art.
Individuals involved in such attacks or other parties can take pride or interest in the techniques employed to attack a computing system and can share those techniques publicly such as via data 404 stored in a manner accessible via the network 200, such as a website, pastebin dump or the like. For example, information about a network attack can be shared such as scripts, executable code, source code, database query statements, combination of these and other information used to carry out an attack as will be apparent to those skilled in the art. Such information about a network attack can be stored as data 404 connected to the network 200 for others to access and reuse to launch new attacks on potentially different targets on potentially different networks.
Furthermore, other information about a network attack may be discerned from data 404 made available via the network 200. For example, the output (or data dump) of an attack may be provided as data 404 such as a database query output, the output of a sensitive computing system, sensitive information 212 structured in a particular way and the like. Such data 404 constitutes information about a network attack and characteristics of the data 404 can indicate characteristics of the mechanism employed to obtain, structure, format, display or communicate the data. For example, a database query report resulting from the execution of a database query contains data fields (e.g. columns) that can depend on the executed query itself. Thus, a structured query language (SQL) “SELECT” statement followed by an enumerated list of columns (e.g. “SELECT COLUMNA, COLUMNB, COLUMNC”) can be inferred from a database report including only those columns. Accordingly, information about the attack can be inferred from characteristics of the data 404 where the data is generated, reported, received or communicated based on the attack.
In accordance with embodiments of the present disclosure, information about a network attack stored in data 404 accessible via the network 200 is used to generate a signature for the network attack such that the network attack can be detected in future based on the signature. A signature of a network attack includes one or more rules and/or patterns reflecting characteristics of the attack that can be used to detect the attack. For example, a signature can be defined based on byte sequences in malicious network traffic or known malicious instruction sequences used by malicious software. Where data 404 includes a particular script, executable code, query or the like then characteristics of such data can be used to formulate the signature. Similarly, where data 404 includes an identification of characteristics of the attack such as data fields selected in a query or the like then such data can be used to formulate the signature. Combinations of such information can also be used to formulate signatures for detecting a network attack.
The identification of network attacks based on the signature assists in preventing, responding to, remediating or otherwise handing such attacks. However, in some scenarios the data 404 including information about the attack may not be recent data. For example, the data 404 may be data arising from a data breach occurring a relatively long time ago such as data that was not immediately disclosed, published or hosted for access via the network 200 or data that was not discovered until more recently. Accordingly, the information about the attack contained in the data 404 may have been used in one or more attacks occurring in the intervening period and a data breach of sensitive information 212 associated with the computing system 210 may have occurred. In such situations owners, users or other parties with interest in the sensitive information 212 may be unaware that some portion of the sensitive data 212 has previously been implicated in a network attack that may result in data breach. Accordingly, it is advantageous to identify the occurrence of a network attack even where the attack is in the past.
Insofar as embodiments described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present disclosure. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilizes the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present disclosure.
It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.
The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 16207657 | Dec 2016 | EP | regional |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2017/083624 | 12/19/2017 | WO |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2018/122051 | 7/5/2018 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6618718 | Couch | Sep 2003 | B1 |
| 8204984 | Aziz | Jun 2012 | B1 |
| 8429180 | Sobel | Apr 2013 | B1 |
| 8495384 | DeLuccia | Jul 2013 | B1 |
| 8782790 | Smith | Jul 2014 | B1 |
| 8806629 | Cherepov | Aug 2014 | B1 |
| 8904531 | Saklikar et al. | Dec 2014 | B1 |
| 9027135 | Aziz | May 2015 | B1 |
| 9071638 | Aziz | Jun 2015 | B1 |
| 9342695 | Barkan | May 2016 | B2 |
| 9485262 | Kahn | Nov 2016 | B1 |
| 9560072 | Xu | Jan 2017 | B1 |
| 9565202 | Kindlund | Feb 2017 | B1 |
| 9591023 | McClintock | Mar 2017 | B1 |
| 10027689 | Rathor | Jul 2018 | B1 |
| 10268840 | Lockhart, III et al. | Apr 2019 | B2 |
| 10332056 | Yang | Jun 2019 | B2 |
| 10452630 | Tariq | Oct 2019 | B2 |
| 10454950 | Aziz | Oct 2019 | B1 |
| 10523686 | Mehta et al. | Dec 2019 | B1 |
| 20050114707 | DeStefano | May 2005 | A1 |
| 20060026423 | Bangerter | Feb 2006 | A1 |
| 20070094728 | Julisch | Apr 2007 | A1 |
| 20100070800 | Hanna | Mar 2010 | A1 |
| 20100121872 | Subramaniam | May 2010 | A1 |
| 20120005147 | Nakakoji et al. | Jan 2012 | A1 |
| 20120130980 | Wong et al. | May 2012 | A1 |
| 20120158626 | Zhu | Jun 2012 | A1 |
| 20120304244 | Xie | Nov 2012 | A1 |
| 20130117852 | Stute | May 2013 | A1 |
| 20130263226 | Sudia | Oct 2013 | A1 |
| 20150033340 | Giokas | Jan 2015 | A1 |
| 20150242637 | Tonn | Aug 2015 | A1 |
| 20150242639 | Galil et al. | Aug 2015 | A1 |
| 20150372980 | Eyada | Dec 2015 | A1 |
| 20160028750 | Di Pietro | Jan 2016 | A1 |
| 20160044054 | Stiansen | Feb 2016 | A1 |
| 20160094573 | Sood | Mar 2016 | A1 |
| 20160323301 | Boss et al. | Nov 2016 | A1 |
| 20170013018 | Nakata | Jan 2017 | A1 |
| 20170041334 | Kahn et al. | Feb 2017 | A1 |
| 20170093910 | Gukal | Mar 2017 | A1 |
| 20170149830 | Kim | May 2017 | A1 |
| 20170155671 | Hovor | Jun 2017 | A1 |
| 20170155677 | Shakarian | Jun 2017 | A1 |
| 20170161746 | Cook | Jun 2017 | A1 |
| 20170262629 | Xu | Sep 2017 | A1 |
| 20170264626 | Xu | Sep 2017 | A1 |
| 20170286549 | Chandnani | Oct 2017 | A1 |
| 20180007087 | Grady et al. | Jan 2018 | A1 |
| Number | Date | Country |
|---|---|---|
| WO-2016028442 | Feb 2016 | WO |
| WO-2016053514 | Apr 2016 | WO |
| Entry |
|---|
| International Search Report and Written Opinion for Application No. PCT/EP2017/083624, filed Dec. 19, 2017, dated Feb. 13, 2018 (10 pgs). |
| Mertens, “Monitoring pastebin.com within your SIEM,” Retrieved from the Internet: [https://blogrootshell.be/2012/01/17/monitoring-pastebin-com-within-your-siem/] Jan. 17, 2012 (29 pgs). |
| Combined Search and Examination Report under Sections 17 and 18(3) for GB Application No. 1622447.9 dated Jun. 27, 2017, 5 pages. |
| Combined Search and Examination Report under Sections 17 and 18(3) for GB Application No. 1622450.3 dated Jun. 21, 2017, 7 pages. |
| Combined Search and Examination Report under Sections 17 and 18(3) for GB Application No. 1622451.1 dated Jun. 21, 2017, 6 pages. |
| Combined Search and Examination Report under Sections 17 and 18(3) for GB Application No. 1721321.6 dated Jun. 14, 2018, 6 pages. |
| Communication pursuant to Article 94(3) EPC For European Application No. 17816875.3, dated May 3, 2021, 7 pages. |
| European Search Report for European Application No. 16207657.4, dated Feb. 3, 2017, 9 pages. |
| European Search Report for European Application No. EP16207659.0 dated Apr. 3, 2017, 9 pages. |
| International Preliminary Report on Patentability for Application No. PCT/EP2017/083621, dated Jul. 11, 2019, 9 pages. |
| International Preliminary Report on Patentability for Application No. PCT/EP2017/083623, dated Jul. 11, 2019, 8 pages. |
| International Preliminary Report on Patentability for Application No. PCT/EP2017/083624, dated Jul. 11, 2019, 8 pages. |
| International Search Report and Written Opinion for Application No. PCT/EP2017/083621, dated Feb. 28, 2018, 11 pages. |
| International Search Report and Written Opinion for Application No. PCT/EP2017/083623, dated Apr. 12, 2018, 9 pages. |
| Kreibich C., et al., “Honeycomb—Creating Intrusion Detection Signatures using Honeypots”, Workshop on Hot Topics in Networks (Hotnets-II), Nov. 2003, 6 pages. |
| Lemos R., et al., “Startup Aims to Scour the Dark Web for Stolen Data,” MIT Technology Review, Jun. 3, 2015, retrieved from https://www.technologyreview.com/s/537921/startup-aims-to-scour-the-dark-web-for-stolen-data/, 4 pages. |
| Rashid A., et al., “Detecting and Preventing Data Exfiltration,” Lancaster University, Security Lancaster, 2014, 40 pages. |
| Shu X., et al., “Fast Detection of Transformed Data Leaks”, IEEE Transactions on Information Forensics and Security,INSPEC accession No. 15670975, XP011594895, vol. 11 (3), Mar. 2016, 15 pages. |
| Waddell K., “The Spider That Crawls the Dark Web Looking for Stolen Data,” The Atlantic, Feb. 22, 2016, Retrieved from https://www.theatlantic.com/technology/archive/2016/02/the-spider-that-crawls-the-dark-web-looking-for-stolen-data/470220/, 7 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20200389471 A1 | Dec 2020 | US |
