Patent Application
20230179486
This application claims the priority benefit of Taiwan application serial no. 110145766, filed on Dec. 8, 2021. The entirety of the above-mentioned patent application is hereby incorporated by reference herein and made a part of this specification.
The disclosure relates to an information security technology, particularly to a method and an apparatus related to network analysis.
Cybersecurity has become a major industry in today's computing landscape. According to the statistics from the Ministry of Economic Affairs, the scale of information security industry in Taiwan was NT$55.2 billion in 2020, at a growth rate of 11.9%, which is higher than the world's growth rate of 2.8%, and the output value of the information security industry is estimated to reach NT$78 billion by 2025. With the rapid increase in the number of distributed applications in data centers, applications are advanced to virtual machine applications and microservice applications that run in containers. And their network behavior changes even more, presenting information security systems greater challenges. Therefore, it has become an urgent issue for system administrators to detect malicious behaviors spreading laterally on the intranet and to implement security isolation effectively.
The whitelist of network behaviors is a mechanism for detecting and isolating malicious behaviors, and its purpose is to regulate the system resources and the communication protocol scope that the subject matter accesses legally. With the whitelist mechanism, all items except the subject matter are not allowed to be accessed legally. Traditionally, system administrators maintain the whitelists manually, which works for a small data center or a small-scale distributed application system to operate normally. However, when the number of servers increases, manual maintenance tends to lead to erroneous management, and may even cause system abnormal operation by making minor rule changes.
In view of this, embodiments of the present disclosure provide a method and an apparatus related to network analysis.
The network analysis method of the embodiment of the disclosure includes (but is not limited to) the following steps. A work topology is mapped into an abstract topology according to the network behavior of the workload. The network behavior is defined by the connection of the workload via one or more ingress ports and/or one or more egress target ports. The work topology records one or more ingress ports or one or more egress target ports supported by the workload, and the abstract topology records the dynamic relationship of the ingress port or the egress target port of the workload that is currently operating and a corresponding anomaly rule. The workload connections with workload model which comprises static role, dynamic relationship, and the anomaly rule are compared to determine that an abnormal situation occurs on the workload. The abnormal situation is related to the violation of the anomaly rule, and the dynamic relationship is an associated behavior specification between the workload and another workload via the ingress port or the egress target port of the workload.
The analysis apparatus of the embodiment of the disclosure includes (but is not limited to) a memory and a processor. The memory is configured to store a program code, and the processor is coupled to the memory. The processor is configured to load and execute the program code to map a work topology into an abstract topology according to the network behavior of the workload, and compare the dynamic relationship with the anomaly rule to determine that an abnormal situation occurs on the workload. The network behavior is defined by the connection of the workload via one or more ingress ports and/or one or more egress target ports. The work topology records one or more ingress ports or one or more egress target ports supported by the workload, and the abstract topology records the static role, and the dynamic relationship of the ingress port or the egress target port of the workload that is currently operating and the corresponding anomaly rule. The abnormal situation is related to the violation of the anomaly rule, and the dynamic relationship is an associated behavior between the workload and another workload via the ingress port or the egress target port of the workload.
To make the features of the disclosure more comprehensible, the following embodiments are described in detail with drawings to as follows.
The servers 11, 12, and 13 may be any type of computer system, server, or mobile device. The servers 11, 12, and 13 respectively run application programs APP1 to APP4. In an embodiment, one or more of the application programs APP1 to APP4 is a work machine, a virtual machine, or a containerized application program. In another embodiment, one or more of the application programs APP1 to APP4 are applications or services directly run by a host system.
The analysis apparatus 100 may be any type of computer system, server, or mobile device. The analysis apparatus 100 includes (but is not limited to) a memory 110 and a processor 150.
The memory 110 may be any type of fixed or removable random access memory (RAM), read-only memory (ROM), flash memory, Hard Disk Drive (HDD), solid-state drive (SSD), or similar components. In an embodiment, the memory 110 is configured to record program codes, software modules, configurations, data (for example, topology, rules, models, etc.) or files, and the embodiments will be described in detail later.
The processor 150 is coupled to the memory 110, and the processor 150 may be a central processing unit (CPU), a graphics processing unit (GPU), other programmable general-purpose or special-purpose microprocessor, digital signal processor (DSP), programmable controller, field programmable gate array (FPGA), application-specific integrated circuit (ASIC), neural network accelerator, other similar components, or a combination thereof. In one embodiment, the processor 150 is configured to perform all or part of the operations of the analysis apparatus 100 and can load and execute various program codes, software modules, files, and data in the memory 110. In one embodiment, the functions of the processor 150 may be implemented by software or a chip. In some embodiments, multiple functions of the processor 150 may be respectively implemented by the same or different processing elements.
In an embodiment, the analysis apparatus 100 further includes a communication transceiver 130. The communication transceiver may be a transceiver circuit that supports wired networks such as optical fiber, Ethernet, or TV cables, or wireless networks such as Wi-Fi, mobile networks, and Bluetooth. In an embodiment, the communication transceiver 130 includes components such as (but not limited to) digital-to-analog converters, amplifiers, antennas, mixers, etc., depending on its type. In one embodiment, the processor 150 communicates with the servers 11, 12, and 13 via the communication transceiver 130 and the network 50 (for example, a local area network, the Internet, or a private network) to receive data from the servers 11, 12, and 13 or send data to the servers 11, 12, and 13 accordingly.
In some embodiments, at least one of the servers 11, 12, and 13 may be integrated with the analysis apparatus 100 into an independent apparatus, so that the analysis apparatus 100 runs one or more of the application programs APP1 to APP4.
Hereinafter, various components and modules in the system 1 are used to illustrate the method according to the embodiments of the disclosure. Each process of the method may be adjusted accordingly based on different implementations, to which the disclosure is not limited.
Note that any communication endpoint of a computer network may be regarded as a port. Port is a logical concept and is configured to identify or distinguish types or procedures of network services. With this in mind, if an application establishes a connection, the connection is associated with one or more ports.
Ports may be divided into a source port and a destination port, each representing the request-initiating endpoint and the request-receiving endpoint of a certain network service. For example,
In one embodiment, ports are further associated with a network address (for example, an Internet Protocol (IP) address). For example, in
In one embodiment, the application program is further defined with an application (app) name. However, the app name may still be optionally chosen based on their actual needs.
In an embodiment, the processor 150 converts the ordinary topology into a work topology. An ordinary topology (or called a network topology) describes the arrangement/connection of network nodes and their connections in a communication network. As shown in
For example,
In another embodiment, the processor 150 may use the ordinary topology directly as the work topology, and obtain part of the information, for example, app name, ingress port, and/or egress target port, in the ordinary topology based on subsequent analysis needs.
On the other hand, the abstract topology records the dynamic relationship of the ingress port or the egress target port of the workload that is currently operating and the corresponding anomaly rules. Similarly, the abstract topology is also classified according to network behavior, and each category regulates its network behavior with ingress port, egress target port, and app name.
Note that, unlike work topology, abstract topology replaces any network node with one of the abstract behavior models. In one embodiment, the network behavior specifications of each abstract behavior model include static relationships. That is, abstract topology records more of the static relationships. The static relationship regulates the number of connections between ingresses and egresses of a single workload and may be divided into multiple roles. This connection relationship is the corresponding relationship between the number of ingress ports provided by a single workload and the number of egress target ports used.
For example,
In one embodiment, roles may be divided into target roles and intermediate roles. The target role refers to the ultimate role of the workload during runtime, and the intermediate role refers to the transition role at one point during runtime. The processor 150 may determine the target role of the workload based on the defined model, and one or more intermediate roles corresponding to the target role are the legal role scope of the workload in the evolution process of the abstract topology. The processor 150 may determine the target role of the workload based on one or more intermediate roles during runtime. The number of ingress ports and the egress target ports of the target role are respectively the sum of the number of ingress ports and the sum of the number of egress target ports of the intermediate role at one or more points during runtime. These points may be the points that are updated due to new connections or new workloads during the topology evolution process, or they may be points that are different from another point by a specific time period.
For example,
In one embodiment, the network behavior specifications of each abstract behavior model include dynamic relationships. That is, the abstract topology records the dynamic relationship of the ingress port or the egress target port where the workload is currently running. The dynamic relationship is the associated behavior between a workload and another workload via an ingress port or an egress target port of the workload. For example, in
In one embodiment, the network behavior specifications of each abstract behavior model include anomaly rules (or called logic condition restrictions), that is, the anomaly rules corresponding to the workload in a specific static relationship and/or dynamic relationship recorded by the abstract topology. Anomaly rules describe the conditions corresponding to normal connections.
In one embodiment, the abnormality rule includes a limit on the number of normal connections. In one embodiment, the number of connections is defined as a specific number, an upper limit, or a lower limit. The specific number is a hard condition that must be met for normal connections; for example, the number of normal connections can only be three. The upper limit is the uppermost limit of the conditions that must be met for normal connections; for example, the number of normal connections is at most five. The lower limit of quantity is the lowest limit of the conditions that must be met for normal connections. For example, the number of normal connections is at least one.
It should be noted that, in other embodiments, the anomaly rule may also be restriction for app names or specific ports. For example, it can only be connected to the application APP2. For another example, at least the port port1 needs to be provided as an ingress port.
In an embodiment, the processor 150 determines that the network behavior of the workload belongs to one of a plurality of abstract behavior models. The processor 150 may establish one or more abstract behavior models, and each abstract behavior model is defined with corresponding static relationships, dynamic relationships, and anomaly rules. For example, the static relationship of the first model conforms to the role ro3, the dynamic relationship provides the application with a specific ingress port and/or the egress target port for connecting to other applications, and the anomaly rule is at least one connection. The processor 150 may adopt an abstract behavior model corresponding to the current network behavior of the workload to replace the network node in the work topology. After the network nodes in the work topology are replaced by the corresponding abstract behavior model, an abstract topology is formed. That is to say, the abstract behavior model is a specific specification (such as dynamic relationship, static relationship, or anomaly rules) to describe the network behavior of the workload and its restriction. In some embodiments, these abstract behavior models may be stored in a model database and be accessed by the processor 150 or other devices.
For example,
In
In one embodiment, the anomaly rule is a limit on the number of connections. The processor 150 may compare whether the dynamic relationship of the workload at the current point in time meets the limit on the number of connections. For example, the limit on the number of connections is a specific number, which is 2. If the comparison result is that the number of the egress targets in the dynamic relationship of the workload is 2, then the condition set for the number of connections is met, and there is no abnormal situation; but if the comparison result is that the number of egress targets in the dynamic relationship is 3, the condition set for the number of connections is violated, and an abnormal situation occurs.
In one embodiment, the number of connections is defined as a specific number, an upper limit, or a lower limit. In response to the dynamic relationship meeting the specific number of connections, the processor 150 sets the workload to a first lock state. In response to the dynamic relationship meeting the upper limit of the number of abnormal connections, the processor 150 sets the workload to a second lock state. And in response to the dynamic relationship not meeting the lower limit of the number of abnormal connections, the processor 150 sets the workload to a third lock state. These three lock states may be the same or different from one another.
In one embodiment, in response to the workload being locked, the processor 150 continues to review the topology of the subsequent evolution of the workload. In response to the new dynamic relationship violating the anomaly rule, the processor 150 determines that the workload in the lock state has an abnormal situation. The topology of subsequent evolution refers to the work topology or the abstract topology updated by the subsequent newly added connections and/or workloads.
For example, if the workload in the lock state still does not satisfy the “specific number” (that is, not meeting the anomaly rule), then the processor 150 regards the network behavior of the workload as illegal or function error connection, and adds the workload to the anomaly list. If the workload in the lock state still violates the “upper limit,” the processor 150 regards the network behavior of the workload as illegal or function error connection, and adds the workload to the anomaly list. If the workload in the lock state still violates the “lower limit,” the processor 150 regards the network behavior of the workload as a function error connection, and adds the workload to a watch list. That is to say, the subsequent handling (for example, troubleshooting operation) of the abnormal situations may vary depending on different lock states.
In other embodiments, as long as the dynamic relationship of the workload does not meet the anomaly rule for the first time, the processor 150 may directly determine that an abnormal situation has occurred and ignore the lock state.
In an embodiment, the processor 150 may judge the state evolution of the workload during the runtime based on a finite-state machine, and the finite-state machine includes multiple states. For example,
If the workload is in the start state, it may evolve into the Intermediate state S2, the Lock state S3, the Watch state S4, the Anomaly state S5, or the DoNotCare state S6. If the workload is in the Intermediate state S2, it may evolve into the Lock state S3 or the Watch state S4. If the workload is in the Lock state S3, it may only evolve into the Anomaly state S5 or remain in the lock state (indicating that the workload remains in the normal state).
If the workload is in the Watch state S4, the processor 150 adds the workload to the watch list WL. If the workload is in the Anomaly state S5, the processor 150 adds the workload to an anomaly list AL, and considers that an abnormal situation has occurred. If the workload is in the Intermediate state S2, the Lock state S3, or the DoNotCare state S6, the processor 150 regards the workload as normal operation.
The following is an application scenario as an example for further description. FIG. 9A is a schematic diagram of an abstract behavior model according to an embodiment of the disclosure. In
Then, with the new applications APPS, APP6, and their connections join, the application APP1 stays to meet the upper limit of the number of connections in the anomaly rule again, so the application APP1 remains in the second lock state lock2. In addition, the application APP4 stays to meet the specific number of connections in the anomaly rule again, so the application APP4 remains in the first lock state lock1.
Note that the application APP6 is modeled into the third model of
The newly added application APP8 adds an egress target (i.e., application APP8 and port8) to the workload of application APP4, which makes the number exceeds the specific number (for example, 1) set by the second model in
In addition, the application APP6 still does not meet the lower limit of the number of connections in the anomaly rule. Since the application APP6 is already in the third lock state lock3, the processor 150 may add the application APP6 and its port port6 to the watch list WL.
The following is the description of the behavior analysis of step 5230.
On the other hand, there is no new workload in the network 50, and when the processor 150 finds a new connection in the network 50 (step S126), the processor 150 updates the work topology (step S127). Next, the processor 150 compares the finite state and the found abstract behavior model to update the status indicator of the workloads at both ends of the new connection (step S128).
In summary, in the apparatus and the method related to network analysis in the embodiments of the disclosure, whether an abnormal situation occurs is determined by describing the network behavior with relationships like static and dynamic relationships and then determining whether it meets or violates the anomaly rules of the abstract behavior model. In response to abnormal situations, the troubleshooting operation is further provided. In this way, a systematic method and a lightweight comparison operation are provided to fully describe network behaviors using a small number of parameters, continuously optimize and reduce spurious security incidents, and may adapt to data centers with different architectures and different distributed applications.
Although the disclosure has been disclosed in the above embodiments, they are not meant to limit the disclosure. Anyone with common, general knowledge in the art can make changes and modifications without departing from the spirit and scope of the disclosure. The scope of the disclosure shall be determined by the scope of the claims attached.
| Number | Date | Country | Kind |
|---|---|---|---|
| 110145766 | Dec 2021 | TW | national |
