The present invention relates to security of a network and, more particularly, to a method for deterring malicious network traffic by using a graphic processing technique to inspect packets.
To protect a computer system or a network from attacks, the networks monitored and malicious network traffic is deterred by defending means such as a web application firewall (‘WAF’), an intrusion-preventing system (‘IPS’), an intrusion-detecting system (‘IDS’) and an advanced threat-preventing (‘ATP’) technique. A typical method to monitor the internet is use the defending means to execute deep packet inspection (‘DPI’) on packets of inline network traffic to a host computer or data center. On finding a packet to include malicious-pattern data, the defending means immediately provides a warning and/or blocks malicious network traffic.
To inspect packets, packets of common attacks are analyzed, and malicious patterns are extracted from the packets and turned into signature-based or policy-based models for comparison. On finding a packet of network traffic to include a malicious pattern after comparing the packet with the models, the defending means immediately provides a warning or blocks the network traffic. The packets of the network traffic are compared with the models, one after another. The defending means gets less efficient as it uses more models. Thus, an attacker can finally paralyze the defending means, access to the data center or an end user.
As described above, to monitor a network and inspect network traffic, the DPI compares the packets of the network traffic with the models one after another. Hence, the work load on the defending means gets heavier as the defending means uses more models. Thus, the defending means gets less efficient and could be paralyzed. To solve this problem, currently, the specification and amount of the defending means are increased. However, this inevitably increases the cost in the defense.
The present invention is therefore intended to obviate or at least alleviate the problems encountered in prior art.
An objective of the present invention is to provide an effective and inexpensive method for deterring at least one packet of inline network traffic toe data center from an external user via a cloud.
Another objective of the present invention is to provide inefficient and precise method for deterring at least one packet of inline network traffic toe data center from an external user via a cloud.
To achieve the foregoing objectives, the method includes the step of receiving at least one packet of inline network traffic before the data center. Then, the packet of the inline network traffic is converted into at least one network traffic-related graphic. Then, the network traffic-related graphic is compared with model-related graphics. Then, it is determined whether the network traffic-related graphic matches any of the model-related graphics. A warning is provided or the packet of the inline network traffic is blocked if the network traffic-related graphic matches any of the model-related graphics. The packet of the inline network traffic is transferred to the data center if the network traffic-related graphic does not match any of the model-related graphics.
Other objectives, advantages and features of the present invention will be apparent from the following description referring to the attached drawings.
The present invention will be described via detailed illustration of two embodiments referring to the drawings wherein:
Referring to
Referring to
Referring to
Referring to
Preferably, the analyzer server 20 further includes an artificial intelligence training unit 25 connected to the graphics processing unit 23 and the model-storing unit 22. The artificial intelligence training unit 25 can be a processor that includes a deep neural network such as DGX-1 of Nvidia and TPU of Google. The artificial intelligence training unit 25 executes training to derive optimized model-related graphics from the model-related graphics and the network traffic-related graphics. The optimized model-related graphics are sent to and stored in the model-storing unit 22. The optimized model-related graphics are to be used as model-related graphics with which a next network traffic-related graphic is to be compared. Thus, the precision of the comparison is improved and malicious packets can be detected effectively. Hence, security in the connection to awe is ensured.
Referring to
At S101, a packet of network traffic is transmitted into the deterring apparatus 10. The packets of the network traffic are transferred to the analyzer server 20 of the deterring apparatus 10 via the tap switch 50.
Then, at S102, the deterring apparatus 10 converts the packet of the inline network traffic into a network traffic-related graphic. The bitmap converter 21 of the analyzer server 20 of the deterring apparatus 10 converts the packet of the inline network traffic into a network traffic-related graphic.
Then, at S1031, the network traffic-related graphic is compared with at least one model-related graphic derived from at least one malicious packet. The graphics processing unit 23 of the analyzer server 20 receives multiple original model-related graphics from the model-storing unit 22 in practice. Then, the graphics processing unit 23 compares the network traffic-related graphic with all the model-related graphics. In the first embodiment, the model-related graphics stored in the model-storing unit 22 are derived from known malicious packets.
Then, at S1041, it is determined whether the network traffic-related graphic matches any of the model-related graphics. The process goes to S1051 if the network traffic-related graphic matches any of the model-related graphics, and goes to S1052 if the network traffic-related graphic does not match any model-related graphic.
At S1051, a warning is provided or the packet of the inline network traffic is blocked. As mentioned above, the model-related graphics are derived from the known malicious packets. Hence, the deterring apparatus 10 determines the packet of the inline network traffic to be a malicious packet if finding the network traffic-related graphic to match any of the model-related graphics. Accordingly, the deterring apparatus 10 provides a warning and/or blocks the malicious packet of the inline network traffic from the data center 60. Synchronously, the deterring apparatus 10 writes data about the malicious packet in at least one log file.
At S1052, the packet of the inline network traffic is admitted to the data center 60, without any further action. The deterring apparatus 10 admits the packet of the inline network traffic to the data center 60 after determining that the network traffic-related graphic does not match any of the model-related graphics, without taking any further action.
Referring to
At S101, the packets of inline network traffic are transmitted into the deterring apparatus 10. The packets of the network traffic are transferred to the analyzer server 20 of the deterring apparatus 10 via the tap switch 50.
Then, at S102, the deterring apparatus 10 converts the packets of the inline network traffic into at least one network traffic-related graphic. The bitmap converter 21 of the analyzer server 20 of the deterring apparatus 10 converts the packets of the inline network traffic into at least one network traffic-related graphic.
Then, at S1032, the network traffic-related graphic is compared with at least one model-related graphic derived from at least one normal packet. The graphics processing unit 23 of the analyzer server 20 receives model-related graphics from the model-storing unit 22. Then, the graphics processing unit 23 compares the network traffic-related graphic with all the model-related graphics. In the second embodiment, the model-related graphics stored in the model-storing unit 22 are derived from known normal packets.
Then at S1042, it is determined whether the network traffic-related graphic matches any of the model-related graphics. The process goes to S1051 if the network traffic-related graphic does not match any model-related graphic, and goes to S1052 if the network traffic-related graphic matches any of the model-related graphics.
At S1051, a warning is provided or the packet of the inline network traffic is blocked. As mentioned above, the model-related graphics are derived from normal packets. Hence, the deterring apparatus 10 determines the packet of the inline network traffic to be a malicious packet if finding the network traffic-related graphic not to match any of the model-related graphics. Accordingly, the deterring apparatus 10 provides a warning and/or blocks the malicious packet of the inline network traffic from the data center 60. Synchronously, the deterring apparatus 10 writes data about the malicious packet in at least one log file.
At S1052, the packet of the inline network traffic is admitted to the data center 60, without any further action. The deterring apparatus 10 admits the packet of the inline network traffic to the data center 60 after determining that the network traffic-related graphic matches any of the model-related graphics, without taking any further action.
The artificial intelligence training unit 25 can be included in another embodiment. After S1031 or S1032, the artificial intelligence training unit 25 trains to derive optimized model-related graphics from the network traffic-related graphic and the model-related graphics. Then, the artificial intelligence training unit 25 sends the optimized model-related graphics to the model-storing unit 22. The optimized model-related graphics are to be used as model-related graphics with which a next network traffic-related graphic is to be compared. Hence, at S1031 or S1032, the model-related graphics can be the original model-related graphics generated before any comparison or the original model-related graphics generated after a previous round of comparison.
In another embodiment, some of the model-related graphics stored in the model-storing unit 22 of the analyzer server 20 are derived from malicious packets and the other model-related graphics are derived from normal packets. Thus, the determination of whether a network traffic-related packet is a malicious packet is executed at an improved pace.
The present invention has been described via the illustration of the embodiments. Those skilled in the art can derive variations from the embodiments without departing from the scope of the present invention. Therefore, the embodiments shall not limit the scope of the present invention defined in the claims.