The present invention generally relates to communication networks. More specifically, the present invention is concerned with a method and system for detecting a particular traffic, such as unwanted traffic, traveling in the communication networks.
Over the past few decades, telecommunication networks have experienced an incredible growth and expansion. Because of the ever increasing demands from the users, operators offering telecommunication services need constantly to adapt their networks so as to be able to respond to the requests and demands of the users. The mobile networks have evolved from supporting simple voice services to supporting rich multimedia services, such as video sharing, video-on-demand, streaming, music download, etc. These networks are made possible through deployment of broadband access networks and convergence of technologies and networks, such as mobile and IP networks. New networks also support new communication models, e.g. group/community communications.
In order to take advantage of the broadband access networks and to enable co-existence of the different technologies, 3GPP has developed a new core network called the Evolved Packet Core (EPC). The EPC has been planned for 3GPP Release 8 and can be used by several access networks, such as long-term evolution (LTE), high-speed packet access/high speed packet access evolved (HSPA/HSPA+), and non-3GPP networks, e.g. WiMAX.
The EPC along with a set of access systems, such as evolved universal terrestrial radio access network (eUTRAN) or UTRAN, constitute the Evolved Packet System (EPS) network. The EPS network represents a migration from the traditional hierarchical system architecture to a flattened architecture.
However, in such an EPS network, SPAM, phising, virus, malicious software (or malware) or any unwanted traffic can become a major potential problem by creating additional traffic in the network, which can then contribute to creating bottlenecks. Also, when the unwanted traffic, such as viruses, is generated by the mobile nodes, the unwanted traffic can spread all over the mobile network. Furthermore, more and more powerful mobile devices run on open technologies, such as Java and Linux, therefore, the surface attack can be increased for these mobile devices.
Current solutions under discussion for combating unwanted traffic in communication networks generally use unified threat management (UTM), implemented in a node of the networks. However, these solutions use a centralized architecture in which, for example, the threat analysis and detection are provided by a central node.
A solution is therefore needed that allows proper threat management or detection of a particular traffic in a network, such as a network with a flattened architecture, while remaining flexible to the network's characteristics.
More specifically, in accordance with the present invention, there is provided a method for detecting a particular data traffic in a communication network having a plurality of nodes. The method comprises the steps of: maintaining a list of detecting scans to be applied to an incoming data traffic; receiving the incoming data traffic; and applying a subset of the detecting scans in the list to the incoming data traffic.
According to another aspect of the present invention, there is provided a network node for detecting a particular traffic in a communication network having a plurality of nodes. The network node comprises: a list of detecting scans to be applied to an incoming data traffic; an input for receiving the incoming data traffic; and an inspection chain, which applies a subset of detecting scans in the list to the incoming data traffic.
The foregoing and other objects, advantages and features of the present invention will become more apparent upon reading of the following non-restrictive description of illustrative embodiments thereof, given by way of example only with reference to the accompanying drawings.
In the appended drawings:
In the following description, non-restrictive illustrative embodiments of the present invention will be described in the context of the EPS network. However the embodiments of the present invention are not restricted to such a network and can be applied to other networks with flattened architectures or many other communication networks. For example, the embodiment of the present invention can be used in a network having a plurality of nodes, the plurality of nodes collaborating with each other for detecting a particular traffic.
Also, it should be noted that in the following description, the term “inspectors” can be interchangeably used with the term “agents” to mean the same object and/or function, without departing from the scope and nature of the present invention.
Generally stated, the non-restrictive illustrative embodiments of the present invention provides for detection of a particular traffic, which can be any unwanted or wanted traffic, in a communication network or more particularly in a mobile network. Even though detection of the unwanted traffic is explained in more detail in the following description, embodiments of the present invention also provide for detection of any particular traffic, which can be a wanted or desired traffic, such as voice data for example.
The illustrative embodiments of the present invention use a distributed, incremental and opportunistic system and method for detecting the particular traffic. By distributed, it is meant that the detection of the particular traffic can be done in different nodes of the communication network and applied to different data flows. The detection of the particular traffic can be provided by a list of detecting scans or analyses for example, this list being called the detection list. By incremental, it is meant that the amount or number of scans applied to the different data flows can be accumulated each time that the different data flows go through a node. By opportunistic, it is meant that depending on the available load or available resources of each node, each node can choose a different number, or subset, of scans that it can handle for application to the different data flows going through the node. By being flexible in terms of capacity (number or size of the subset of applied scans) and by distributing the detection over the plurality of nodes in the network 10, the latency in the network can be reduced. Indeed, the traffic is less likely to be blocked at one node, which was the case in UTM for example where the central node had to apply all the scans in a detection list to the data flows, but rather the traffic can flow from nodes to nodes.
Furthermore, in the non-restrictive embodiments of the present invention, a terminal node is provided. The terminal node makes sure that all the necessary detecting scans in the detection list are applied to the different data flows when the data flows go through the terminal node. Therefore, the desired scans are less likely to be omitted in the detection of the particular traffic in the communication network. It should be noted that by necessary scans, it is meant all the detecting scans which are deemed necessary by security authorities, for instance, for detecting a particular traffic.
The EPS network can support all IP-based services, such as voice, video, rich media and messaging with end-to-end Quality of Service (QoS) for example. The EPS network architecture also enables improved connections and hand-over to other fixed-line and wireless access technologies while giving an operator the ability to deliver a seamless mobility experience.
Now turning to
The EPS network 10 generally comprises two types of nodes, gateways and base stations, through which a user equipment (UE) 34 can access the network and the services it provides. The base stations comprise for example those of the UTRAN 12 and the eUTRAN 14.
The eUTRAN 14 is connected to a gateway, such as a serving gateway (S-GW) 22. The S-GW 22 is further connected to a mobility management entity (MME) 24. The S-GW 22 can be further still connected to a Serving GPRS Support Node (SGSN) 26 and to a packet data network gateway (PDN-GW) 28.
Furthermore, the PDN-GW 28 can be connected to internet 30 and/or operators 32, which offer IP services for example, and to an IP Multimedia Subsystem (IMS) 34.
More specifically, the UTRAN 12 comprises nodes B and radio network controllers RNC (not shown), which are well-known in the art. The eUTRAN 14 comprises a plurality of evolved nodes B, called eNode B. In
Also, the eNodes B, 16, 18 and 20 can contain the following functions: the long term evolution (LTE) physical layer (PHY), the Media Access Control (MAC), the Radio Link Control (RLC), Packet Data Control Protocol (PDCP) layers, etc. Accordingly, they can perform tasks such as resource management, admission control, air interface security, scheduling and enforcement of negotiated QoS for example.
The S-GW 22 acts as a local mobility anchor for guiding, forwarding and receiving data packets to and from the UE 34 via the eNodes B 16, 18 and 20. Furthermore, during inter-eNode B handovers, the S-GW 22 acts as a mobility anchor for the user plane. It can also act as an anchor for mobility between the LTE technology and other 3GPP and non-3GPP technologies.
The MME 24 manages the mobility of the UE 34 and handles control signaling for mobility of the UE 34. For instance, when the UE 34 is in an idle mode, the MME 24 is responsible for tracking the UE 34 and the paging procedure that can include retransmissions. The MME 24 can be also involved in the bearer activation/deactivation process. Furthermore, the MME 24 can interact with a Home Subscriber Server (not shown) so as to authenticate the UE 34 or its user/subscriber.
The UE 34 can be a mobile node, such as a cell-phone, a personal digital assistant (PDA), a laptop or any other wireless devices. In case of non-3GPP technologies, the UE 34 may also be a wireline device.
The PDN-GW 28 interfaces with external networks such as Internet 30 and IMS 34 and is responsible for IP functions such as address locations, routing, etc.
In the context of combating SPAM, viruses, and other kinds of unwanted traffic which may propagate through a communication network, such as the EPS network 10, detection of a particular traffic means detection of the unwanted traffic. In the following, a detecting system according to a non-restrictive illustrative embodiment of the present invention, as depicted in
In
The generator 52 (or HOS agency) generates different inspectors and detecting scans, which are carried by the inspectors and used for detecting the unwanted traffic going through the EPS network 10, as will be explained hereinbelow. The generator 52 can be a piece of software, implemented in any network nodes, such as a network controller, a router, an eNode B or a gateway of the EPS network 10. Also, more than one generators 52 can be implemented in the EPS network 10, depending on the needs and size of the network 10 or on the network parameters or administrative issues (only one HOS agency is shown in
Additionally and/or alternatively a recursive approach for generating inspectors and detecting scans can be provided. For example, the generator 52 can generate additional sub-generators (not shown) to be hosted in other nodes, those sub-generators in turn generating the inspectors/detecting scans and/or yet further sub-generators, etc.
The different inspectors and detecting scans generated by the generator 52 are then distributed to the different nodes in the EPS network 10, such as the eNodes B 16, 18 and 20, and the S-GW 22. The distribution of the generated inspectors and detecting scans to the different nodes can be done according to the specificities and needs of each node, such as its geographical context, and the specificities and needs of the EPS network 10.
The different inspectors received and hosted by a node form an Inspection Station (IS) 54. As an example, in
Now, turning to
As mentioned earlier, the IS 54 can be hosted in a node, such as the eNode B 16, 18 or 20, or in a gateway.
The IS 54 comprises the inspectors received from the HOS agency or generator 52. The inspectors are of two (2) types: a head inspector (HI) 60 and a plurality of inspectors carrying the detecting scans generated by the generator 52 as well. The plurality of inspectors carrying the detecting scans forms an inspection chain 62, which allows for performing analyses on the different data flows passing through the hosting node. The head inspector 60 can comprise a counter 65 and a detector 61. Furthermore, the IS 54 can further comprise an input 63 for receiving the incoming data traffic 66.
More specifically, each inspector can be a software agent and can apply its detecting scans to the different data flows, so as to perform some specific pattern matching on the different data flows. Each pattern can define a virus, SPAM, or any unwanted traffic, for example. An inspector can have only one pattern to match or several patterns to match. The HI 60 keeps a list of all the inspectors present in the IS 54 and a list of all the detecting scans generated by the generator 52; this list is referred to as the detection list.
The role of the head inspector 60 comprises managing the inspectors forming the inspection chain 62 in the IS 54 and separating the incoming data traffic 66 into different types of data flows 641, to 64M, such as HTML, SSL, Voice, etc. For example, the head inspector 62 can act as a dividing module in this case. When the head inspector 60 receives a new inspector and/or a new detecting scan from the generator 52, it updates its list of inspectors and its detection list of detecting scans and then assigns the new inspector and detecting scan to a type of data flows 64m, where m=1 to M, to process. The head inspector 60 can also remove, through the counter 65 for example, an inspector and a detecting scan, which has become useless, from its list for example. In that situation, the head inspector 60 will need to communicate first with the terminal node, as will be explained hereinbelow. Furthermore, the head inspector 60 can also monitor the detection process applied through the inspection chain 62, to the different types of data flows 641, to 64M. More specifically, the plurality of inspectors of the inspection chain 62 applies their detecting scans, which correspond to different SPAM, viruses and other unwanted traffic signatures or patterns, to the different data flows, each detecting scan being identified by an ID. When a match is found in the signatures or patterns, the match is reported to the head inspector 60 and the detected unwanted data flow is then discarded or removed from the network 10 by the inspection chain 62. For example, the inspection chain 62 can refrain from forwarding the detected unwanted traffic to the next node in the network 10. Also, the network 10 can identify the user who has generated the detected unwanted traffic and block that user from accessing the network 10. Furthermore, the ID of each applied scan is put into a list, which is then transmitted to the HI 60. The ID list of the already applied scans is forwarded to the next node where the data traffic goes to. The HI 60 therefore also keeps the ID list of the detecting scans which have been already applied to the data traffic or to be applied to the data flow, before the data traffic is sent to a next node as an outgoing traffic, the next node being identified from the data traffic.
As a non-limitative example in
The counter 65 allows for measuring the number of hits for each particular inspector and its detecting scans that have been used for different data traffic flowing through the network 10. The number of hits for each inspector and its detecting scans is an indication of the performance of the inspector and its detecting scans. Based on this number, an inspector along with its detecting scans can be removed from the IS 54, when compared with the performance of the other inspectors and their detecting scans in the IS 54, its performance being lower than the other performances. It should be noted that the counter 65 can be implemented outside of the HI 60, such as a standalone unit, for example.
The detector 61 allows for determining detecting scans from the detection list which have been already applied to a current data flow and at least one detecting scan which still need to be applied to the current data flow. Generally, the detector 61 receives the ID list of already applied detecting scans from a previous node and then selects the subset of detecting scans among the at least one detecting scans to be applied to the current data flow. The inspection chain 62 can then apply the selected subset of detecting scans to the current data flow. It should be noted that the detector 61 can be also implemented outside of the Hi 60, such as a standalone unit, for example.
Now, turning to
The terminal node hosting the terminal IS 54T comprises a terminal head inspector (THI) 72, and a plurality of inspection stations 76, corresponding to the plurality of inspection stations 54 in the network 10. Each IS 76 comprises a head inspector 78, which corresponds to the HI 60 of the corresponding IS 54.
The THI 72 has substantially the same functions and tasks as the head inspector 60 of a regular IS 54, as will be described hereinbelow. For example, the THI 72 has the responsibility of following the different types of data flows originating from the nodes, such as eNodes B 16, 18 and 20. To do so, the THI 72 receives from each IS 54, through which the different data flows went, the ID list of all the scans that were applied to the different data flows. More specifically, the HI 60 of each IS 54 sends the ID list of the already applied scans to the THI 72. The THI 72 forwards the incoming traffic and the ID list of applied scans to the different head inspectors 78. Each head inspector 78 then divides the incoming data traffic into the different types of data flows.
For each type of data flows, the THI 72 has a detection list of all the detecting scans to be applied to the type of data flows in order to declare the data flow healthy. Therefore, when the data traffic arrives at the terminal node, the THI 72 can determine which scans have not been applied yet to a data flow by comparing the received ID list of the already applied scans against the detection list of all the scans to be applied. Therefore, in this case, the THI 72 acts as the detector 61 of
The terminal node is defined as the last node through which the data traffic goes before being sent out to another network, for example. Also, after this node, all the detecting scans in the detection list are applied to the data traffic.
As described above, the detection is based on pattern matching against known illegitimate patterns. Additionally in an alternative embodiment of the present invention, anomaly detection may be performed by the IS 54 or 76, where, instead of detecting known unwanted patterns, data traffic having unknown patterns are considered unwanted traffic. In this case, the data traffic is matched with known legitimate patterns, which are carried by the different detecting scans. At each node, the IS 54 applies a subset of detecting scans to the data traffic. If an IS 54 in a node fails to recognize the incoming data traffic as legitimate using its detecting scans, then the data traffic is forwarded to another IS 54, which also tries to match the incoming data traffic against some other known legitimate patterns of the detecting scans given by another subset of detecting scans. If, after all the known patterns of the detection list of detecting scans have been tried in the terminal node, for example, a match is still not found, then the data traffic is considered unwanted and is handled as described above, e.g. the data traffic is discarded and removed from the network 10.
It should be noted that in this case, the generator 52 generates detecting scans which represent known legitimate patterns of data traffic, i.e. the detecting scans are generated according to a wanted traffic pattern or signature database.
Furthermore, in another embodiment of the present invention, instead of detecting unwanted traffic, a particular traffic, which is a wanted or desired traffic, can be also detected, such as voice traffic for QoS purposes for example or duplication of traffic to send to a Law Enforcement Agency. In this case, the generator 52 generates detecting scans which are based on the wanted traffic pattern or signature database. At each node, the data traffic which matches the wanted traffic is treated accordingly.
A method for detecting a particular traffic in a node of a communication network, such as the EPS network 10, is illustrated in
Referring concurrently to
In step 82, a list of detecting scans to be applied to an incoming data traffic is maintained in the node.
In step 84, the incoming data traffic is received by the node.
Then in step 86, a subset of the detecting scans in the list is applied to the incoming data traffic so as to detect the particular traffic.
The detected particular traffic can be discarded in the case of unwanted traffic detection and in the case of wanted traffic detection, the detected particular traffic can be reserved for further processing.
It should be noted that the size of the subset can be determined according to the characteristics of the node, such as its configuration, its capacity, its memory use, or its central processing unit (CPU) load, etc.
More specifically, now turning to
In step 90 of the method 88, the generator 52 generates inspectors and a plurality of detecting scans carried by the inspectors, according, for example, to a SPAM, virus and any other unwanted traffic signature or pattern database in the case where detecting the particular traffic means detecting unwanted traffic. In the case of detecting unknown traffic (which is to be discarded), the detecting scans are generated according to a known and legitimate pattern data traffic database. In the case of detecting wanted traffic, the detecting scans are generated according to the wanted traffic pattern database.
The inspectors and their detecting scans can be further generated according to specific data traffic types, geographical characteristics and/or parameters of the network 10, for example. It should be noted that the inspectors and the detecting scans can be updated and modified over time based on their use in the different IS 54, as will be explained hereinafter.
In step 92, the generated detecting scans and the inspectors are distributed over the plurality of nodes so as to form a plurality of IS 54, according to the specific needs of each hosting node. More specifically, each head inspector 60 receives the generated detecting scans and inspectors and assigns them to a data flow so as to form the inspection chain 62 as illustrated in
In step 94, the incoming data traffic going through an IS 54 is separated into different types of data flows by the head inspector 60 or a dividing module. Each data flow can be identified by its origin (source address), its type (e.g. VoIP, HTTP, etc.) and its destination (destination address) in the EPS network 10. It should be understood that other identification parameters and procedures can be used. The different data flows are then sent to the inspection chain 62 in the IS 54.
Upon receiving the different data flows, the inspection chain 62 applies a subset of detecting scans, through the inspectors, to the data flows, in step 96.
The number of detecting scans in the subset depends on the load of the node. For example, if the node eNode B 16 has a heavy load, then a few, one or two for example, scans are to be applied to the data flows. However, in the case where the eNode B 16 does not have a heavy load, it can perform a larger number of scans.
For example, as a measure of load of the node, the Central Processing Unit (CPU) load or memory load can be taken into consideration. A certain free time and fixed size of the memory can be dedicated to unwanted traffic detection. This measure can be referred to as the Free Process Time (FPT). The FPT is chosen in such a way as to not impact the quality of the services provided by the node. The FPT can be different for different types of data traffic, such as HTML or SSL, and for different nodes, depending on the load of the nodes. For example, if in the eNode B 16 the load of the CPU is used only by 20% and the memory use is at 50%, the CPU load can be increased to 30% and the memory use to 60% without affecting the quality of the services provided by the eNode B 16. These increases can be then used for the detection of the particular traffic. It should be understood that other measures can be used for determining the load and resources of a node, such as a latency measure or processing time for each data packet.
Upon application of the scans, if a match is found, in the case of detecting unwanted traffic through known illegitimate patterns, the match is transmitted to the HI 60. Also, in this case, the detected unwanted data traffic can be discarded right away so as to eliminate the unwanted traffic as soon as possible in the network 10. This is done in step 98.
Once the application of the subset of detecting scans is done, according to the load of the node, the rest of the data traffic is sent to a next node in the EPS network 10, as an outgoing traffic, the next node being identified from the data traffic. This is done in step 100.
In the case of detecting wanted traffic, if there is a match upon application of the subset of detecting scans, then the detected wanted data traffic can be directed to a specific destination for further processing for example. However, if no match has been found, then the traffic is sent to a next node, as an outgoing traffic, the next node being identified from the data traffic; this step is still done in step 100.
In the case of detecting unwanted/unknown traffic, which have unknown patterns, the data traffic is discarded only if no match has been found after all the detecting scans of the detection list have been applied. If a match is found, then the data traffic can be sent to a next node, as an outgoing traffic, the next node being identified from the data traffic; this step is also done in step 100
Also, the detecting scans applied in step 96 are marked down in a list by using their IDs. Indeed, a list of IDs of all the applied detecting scans is kept. The IDs of the already applied detecting scans or of the detecting scans to be applied to the data traffic in this node are added into the ID list. The ID list is then transmitted, through a communication channel, for example, to the next node, and more specifically to the head inspector 60 of the next node in which the data traffic is received.
Upon receiving the data traffic and the ID list of applied scans, the next node determines, through the detector 61 for example, if at least one detecting scans still need to be applied to the incoming data traffic. If so, then a subset of additional detecting scans is selected from the determined at least one detecting scans. In step 102, the selected subset of additional scans will be applied to the received incoming data traffic, separated into the different data flows, the size of the subset being dependent on the load and FPT of this next node, as mentioned earlier. The subset of applied scans in this step is different from those applied in step 96, so that the total number of scans applied to the data traffic is incremental and accumulated after each passage of the data traffic through a node. Each time that the data traffic goes through a node, the ID list is updated and the updated ID list is transmitted to the next node. Alternatively, instead of transmitting the IDs of the applied scans, the data traffic itself can be marked in relation to the applied scans.
Step 96 to step 100 are repeated as the data traffic flows in the network 10, from node to node, until it reaches the terminal node.
In step 104, the data traffic is transmitted to the terminal node as shown in
The incoming data traffic is received by the THI 72. Also, the ID list of the already applied detecting scans is transmitted to the terminal node and received by the THI 72. The THI 72 then determines if all the detecting scans of the detection list have been applied to the incoming data traffic. If not, then the THI 72 selects a subset of all the detecting scans which were not applied yet, i.e. the remaining detecting scans in the detection list. Then, the THI 72 sends the data traffic to the different head inspectors 78 in the terminal node. Each of the head inspectors 78 then separates the received data traffic into the different types of data flows corresponding to the different data flows in the node where the data traffic comes from. The THI 72 can request each HI 78 to apply the subset of remaining scans in the detection list to a particular data flow. In step 106, the subset of remaining scans in the detection list is applied to the data flow.
Because the terminal node is the last node, through which the data traffic goes before it is sent out to another network for example, it needs to make sure that all the scans of the detection list have been applied to the data traffic.
It should be noted that the detecting system 50 of
When a new inspector and its detecting scans are added to an IS 54 hosted in an eNode B for example, the HI 62 updates its detection list of detecting scans. Furthermore, the terminal 54T also receives the new inspector and its detecting scans and updates its list of detecting scans. However, there is no need of having a simultaneous communication between the IS 54 and the terminal IS 54T concerning the newly added inspector and its detecting scans. The worst case that can happen is that the new detecting scans will be applied twice to the same data flow, once in the IS 54 and once in the terminal 54T.
However, before removing (or down-prioritizing) an inspector and its detecting scans, such as the least used inspector and detecting scans, from the inspection chain 62, the IS 54 should communicate first with the THI 72. More specifically, the IS 54 should wait for a confirmation from the THI 72 of the terminal node that the inspector and its detecting scans to be removed (or down-prioritized) have been already applied to a data flow in the terminal node or in a previous node. In that case, this inspector and its detecting scans can be removed (or down-prioritized).
By deploying the non-restrictive embodiments of the present invention, it is believed that less hardware in each node is required for a particular traffic detection. Also, in the case of detecting unwanted traffic, since the detected unwanted traffic is eliminated as soon as it is detected, which can be early in the network, bandwidth is saved for all the subsequent nodes and transmissions.
Although the present invention has been described in the foregoing specification by means of a non-restrictive illustrative embodiment, this illustrative embodiment can be modified at will within the scope, spirit and nature of the subject invention.