This invention relates to the field of detecting network attacks and particularly relates to detecting attacks on a data communication network locally to the attack originating user system.
The Internet is a wide area data communication network formed from a plurality of interconnected data networks. In operation, the Internet facilitates data communication between a range of remotely situated data processing systems. Typically, end user data processing systems connected to the Internet are referred to as client data processing systems or simply clients. Similarly, data processing systems hosting web sites and services for access by end users via the Internet are referred to as server data processing systems or simply servers. There is a client-server relationship completed via the Internet between the end user data processing systems and the hosting data processing systems.
The Internet has become an important communication network for facilitating electronically effected commercial interactions between consumers, retailers, and service providers. Access to the Internet is typically provided to such entities via an Internet Service Provider (ISP). Each ISP typically operates an open network to which clients subscribe. Each client is provided with a unique Internet Protocol (IP) address on the network. Similarly, each server on the network is provided with a unique IP address. The network operated by the ISP is connected to the Internet via a dedicated data processing system usually referred to as a router. In operation, the router directs inbound communication traffic from the Internet to specified IP addresses on the network. Similarly, the router directs outbound communication traffic from the network in the direction of specified IP addresses on the Internet.
A problem faced by many people and businesses is the increasing frequency of electronic attacks to the networks they use. Such attacks include computer virus attacks and so-called “worm” attacks. Attacks of this nature introduce significant performance degradation in networks. Infected systems connected to the network typically attempt to spread the infection within the network. Many users do not recognize that their systems are infected.
A known intrusion detection sensor spoofs service interaction with potential attackers. The sensor functions by spoofing the existence of machines and services at otherwise unused IP addresses. As the addresses are otherwise unused, all traffic destined to them is a priori suspicious. The sensor spoofs services to determine the intention behind the traffic. The sensor itself offers a virtualization infrastructure that allows individual sensors to be written as if they were running on a single host.
WO 2004/107706 discloses an intrusion detection sensor (IDS) for detecting attacks on a data communication network. The IDS identifies data traffic on the network originating at any assigned address and addressed to any unassigned address, inspects the data traffic so identified for data indicative of an attack and generates an alert signal, if required.
The term “unassigned” is used in this context as covering an address that is not assigned to a physical device other than an apparatus for detecting an intrusion or generating an attack signature. The apparatus that is designed to execute the method disclosed in WO 2004/107706 is the device those “unassigned” addresses are actually assigned to in order to make use of the method. Those addresses are insofar unassigned as they are not assigned to any device that does have another functionality apart from signature generation or intrusion detection.
In the above mentioned IDS, a block of unassigned addresses is designated to the IDS such that the IDS can spoof a response to any data traffic to these unassigned addresses. Also, the IDS may be geographically remote from the originating user system of the data traffic making it difficult to take action against the originating user system.
It is an aim of the present invention to provide a system for detecting attacks to unused or inaccessible addresses. It is a further aim to provide local reporting of local problems. In addition the detection can be realized transparent to the attacking entity.
According to a first aspect of the present invention there is provided a method for detecting attacks on a data communication network, the method comprising: monitoring return messages addressed to an originating user system; identifying a return message of a specified nature; and temporarily routing subsequent messages from the originating user system to an intrusion detection sensor. The term specified nature is understood as the message having a specific property or being of a predetermined type. The monitoring means also referred to as message checker works as a filter that checks if the return message has the specific property. If the return message is recognized to have the property the message checker is looking for, the return message is subjected to rerouting. The message checker can hence be seen as a return message type operated switch. The message checker can at the same time check for different specific properties, and perform the rerouting if one or more of those properties are found to be present.
Preferably, the intrusion detection sensor is local to the originating user system, i.e. the intrusion detection sensor is connected to the same network as the originating system. The term network is herein understood as an aggregation of networkable units, the border of the network being represented by border routers or edge routers. Those routers handle the connectivity to other networks. A network can be a subnetwork to a larger network. The intrusion detection sensor may spoof an exchange with the originating user system. In this way, an intrusion detection sensor local to an originating user system of a message sent to an inaccessible address can determine the nature of the originating user system's intent. In other words, the invention allows a detection and reporting of an attack closer to the attacking entity.
The return message may relate to a message sent by the originating user system to a destination address and the step of temporarily routing may reroute to the intrusion detection sensor all subsequent messages that are directed from the originating user system to the destination address.
The specified nature of the return message may indicate that a destination address is inaccessible. For example, the specified nature of the return message may be an Internet Control Message Protocol message indicating a failed connection.
The temporarily routing may be applied for a predetermined period of time, after which normal routing is resumed. The method may also include triggering the temporarily routing if the number of return messages of a specified nature that have been identified as addressed to an originating user system, exceeds a predetermined threshold. This threshold would then be usable to differentiate between harmless traffic and harmful traffic such as spam.
According to a second aspect of the present invention there is provided an apparatus for detecting attacks on a data communication network, the apparatus comprising: a router including a mechanism for monitoring return messages addressed to an originating user system local to the router; and an intrusion detection sensor; wherein the mechanism including: a message tracker for identifying a return message of a specified nature: and means for temporarily routing subsequent messages from the originating user system to the intrusion detection sensor.
Preferably, the intrusion detection sensor is local to the router. The intrusion detection sensor may include means for spoofing an exchange with the originating user system. The intrusion detection sensor may include a virtualization infrastructure with a plurality of virtual sensors each spoofing a service.
According to a third aspect of the present invention there is provided a router comprising: a mechanism for monitoring return messages addressed to an originating user system local to the router; means for identifying a return message of a specified nature: and means for temporarily routing subsequent messages from the originating user system to an intrusion detection sensor.
According to a fourth aspect of the present invention there is provided a data communication system comprising: a plurality of data processing systems in a network; a router local to the data processing systems for routing messages to and from the data processing systems; the router including a mechanism for monitoring return messages addressed to an originating user system in the form of one of the data processing systems local to the router; and an intrusion detection sensor; wherein the mechanism includes: means for identifying a return message of a specified nature: and means for temporarily routing subsequent messages from the originating user system to the intrusion detection sensor.
According to a fifth aspect of the present invention there is provided a computer program element comprising computer program code means which, when loaded in a processor of a data processing system, configures the processor to perform a method comprising the steps of: monitoring return messages addressed to an originating user system; identifying a return message of a specified nature; and temporarily routing subsequent messages from the originating user system to an intrusion detection sensor.
When a process from an originating user system tries to contact an unused or inaccessible address (for example, behind a firewall), an ICMP (Internet Control Message Protocol) message is returned to the router local to the originating user system telling the originating user system that the destination is not reachable along with some details as to why. This message is intercepted by the router local to the originating user system and all traffic from the originating user system is temporarily routed through the IDS.
Embodiments of the present invention will now be described, by way of examples only, with reference to the accompanying drawings in which:
Referring first to
In the memory subsystem 40 is stored data 60 and computer program code 50 executable by the CPU 10. The program code 50 includes operating system software 90 and application software 80. The operating system software 90, when executed by the CPU 10, provides a platform on which the application software 80 can be executed.
Referring now to
The routers 130, 230 may be implemented in the form of a data processing system as herein before described with reference to
In the first data communication network 100, there are IP addresses 110 assigned to systems 120 belonging to users of the Internet service. Each system 120 may be a data processing system as herein before described with reference to
A process 240, such as a worm or other attack, may originate from a user system 220 on the second data communication network 200. The process 240 may be addressed to a wide selection of addresses on other networks 100. If the process 240 is addressed to an unassigned address such as one of the second group 140 of IP addresses on the first network 100 which are unassigned to user systems, the process 240 is routed to the IDS 160 which spoofs replies to the process 240 and raises an alarm.
An example internal architecture of an IDS 160 is shown in more detail in
The IDS 160 is built on top of a security-hardened machine that offers no real services beyond restricted login. The IDS 160 offers a virtualization infrastructure 310 that allows individual sensors 311-315 to be operated as if they were running on a single host. It also provides a logging infrastructure 320 based on a relational database 330 that allows correlation and analysis of the copious data produced by the number of virtual sensors 311-315. The services offered by the virtual sensors 311-315 may include Hypertext Transfer Protocol (HTTP), Microsoft's Distributed Component Object Model, Structured Query Language, and Windows file sharing and printing (SMB).
With reference to
The process 440 may be addressed to IP addresses 540 which are unused or inaccessible, for example, behind a firewall. If this is the case, an ICMP (Internet Control Message Protocol) message is returned from the router 530 local to the inaccessible address which in this example is the router 530 of the second network 500. The ICMP message is addressed to the originating user system 420 of the process 440 indicating that the destination is not reachable, together with some details as to why.
A mechanism is provided to capture the ICMP message at the router 430 local to the originating user system 420. The ICMP message tells the router 430 local to the originating user system 420 that all traffic from the originating user system 420 to the destination should be given to or routed through a local intrusion detection sensor (IDS) 160. The local IDS 160 can then interact with the originating user system 420 to determine the root cause of the attempted connection.
Each network 400, 500 has its router 430, 530 which manages the traffic across the Internet 150. The routers open the IP packets of data to read the destination address, calculate the best route, and then send the packet toward its final destination. If the destination is on the same network as the sending computer, the router sends the packet directly to the destination computer. If the packet is going to a destination outside the local network, the router instead sends the packet to another router closer to the destination. That router in turn sends the packet to a closer router until the packet reaches its final destination.
The routers 430, 530 have two or more physical ports: input ports and output ports. When an input port receives a packet, a software routine called a routing process is run. This process looks inside the header information in the IP packet and finds the address to which the data is being sent. It then compares this address against an internal database, called a routing table, which has detailed information about the ports to which packets with various IP addresses should be sent. Based on what it finds in the router table, the router sends the packet to a specific output port which sends the data to the next router or to the destination itself.
The operation of the Internet is monitored by the routers and when a connection cannot be completed, the event is reported by the ICMP (Internet Control Message Protocol). Various different types of ICMP messages are defined and each message type is encapsulated in an IP packet. For example, a “Destination Unreachable” message is used when the subnet or a router cannot locate the host destination, and a “Network Unreachable” message is used when the network of the destination cannot be located.
Referring to
In response to the message 501 an ICMP message 511 is returned by a remote router in the Internet 150 to the router 430 local to the originating user system 420. The mechanism 460 intercepts the ICMP message 511. Since the return message 511 is identified to be of a specified nature, namely here indicating an unreachable destination, the mechanism 460 will perform a rerouting so that all traffic from the originating user system 420 to the destination is given to or routed through the local IDS 160. The mechanism 460 sets up a temporary route 541 so that any subsequent messages sent from the originating IP address 410 to the inaccessible address are re-routed to the IDS 160. The IDS 160 can spoof an exchange 531 with the originating user system 420 by pretending to be the inaccessible address. The IDS 160 can then determine the nature of the attempted contact by the originating user system 420 to the inaccessible address and, if the attempted contact is malicious an alarm can be raised locally within the same router network.
In addition to all the advantages of a conventional IDS, this mechanism more precisely delivers alarms more locally hence reducing the need for a redistribution architecture. This directly addresses the problem of efficiently detecting infected machines in the local network, which is valuable information for the local network administrators, instead of detecting remote infected systems, about which the local network administrator can do nothing. So the invention allows a detection of an intrusion closer to the intruder, thereby allowing a network administrator who is in charge of the domain that includes the intruder to react to the intrusion by an appropriate action. The closer the intrusion detection is located to the intruder the better the administrator is able to perform such action.
Another advantage is that every unused or inaccessible address in existence across different networks will result in a returned ICMP message 511. Therefore, unused addresses do not need to be assigned to an IDS. The mechanism relies on the returned ICMP messages 511 indicating that the destination address is inaccessible.
The present invention is typically implemented as a computer program product, comprising a set of program instructions for controlling a computer or similar device. These instructions can be supplied preloaded into a system or recorded on a storage medium such as a CD-ROM, or made available for downloading over a network such as the Internet or a mobile telephone network.
The invention can also be realized by a servicing entity offering a service to a serviced entity, also referred to as client system. This service can be one or more of the following: Installation of the device or system according to the invention in or for an environment of the serviced entity, deployment of the infrastructure usable to perform thereon, in particular deployment or integration of computing infrastructure, comprising integrating computer-readable code into a computing system, wherein the code in combination with the computing system is capable of performing the method according to the invention. In the context of this invention, the servicing entity can equip a client system against intrusion from an originating user system. Thereby the servicing entity can either provide efficient detection of infected machines in the serviced entity's network or detect infected machines that attack the serviced entitie's network. The equipment method can comprise the steps of: connecting an intrusion detection sensor 160 to a router 430, providing the router 430 with a capability to monitor 610 return messages 511 addressed to an originating user system 420, identify 620 a return message 511 of a specified nature, and temporarily route 630 subsequent messages from the same originating user system 420 to said intrusion detection sensor 160. The IDS 160 can be equipment owned or leased by the servicing entity. In particular, the servicing entity could use this IDS 160 for several serviced entities at the same time, hence sharing this resource. This has the advantage that an update performed on the IDS 160 with respect to intrusion detectability performance, has its impact on all connected serviced entities. Another advantage is that this service can be realized transparent to the serviced entity.
Improvements and modifications can be made to the foregoing without departing from the scope of the present invention.
Number | Date | Country | Kind |
---|---|---|---|
05006462.5 | Mar 2005 | EP | regional |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/IB2006/050554 | 2/21/2006 | WO | 00 | 6/29/2008 |