RU2691192C1 - Firewall system - Google Patents

Abstract

FIELD: physics.SUBSTANCE: invention relates to the field of firewalling, used to prevent unauthorized access and exchange of information between various users of computer networks. Technical result is achieved due to preliminary analysis of incoming traffic flow on traffic belonging to a previously established connection, parsing packets to obtain data from packets on a channel, network, transport and application layers, splitting the obtained data from packets into clusters, making a decision on each packet in clusters based on established rules of processing network packets, detecting deviations of network traffic corresponding to processing rules, from a normal traffic profile of packets, updating established rules for processing network packets.EFFECT: technical result is faster processing of network traffic based on clustering data with simultaneous thorough filtering thereof due to that each packet is checked by a set of rules, as well as in detecting anomalies.3 cl, 1 dwg

Description

The invention relates to the field of information security, in particular to the firewall system used to prevent unauthorized access and exchange of information between different users of computer networks.

As new applications and network technologies emerge, data transfer is becoming more complex. Filtering network traffic while maintaining a high level of security with the emergence of new network attacks is becoming an increasingly multifaceted task. In addition, as the speed of a network connection increases, it becomes more and more difficult to monitor network traffic without loss of bandwidth and performance. The above problems require network equipment built on new principles for processing network traffic. These devices must have high bandwidth to avoid loss of network packets, as well as no negative impact during their processing. Known firewalls are designed to solve only some of the problems mentioned. They can operate at high speeds, but at the same time there is a high probability of missing a network attack, or they can carefully analyze network packets when processing performance is low. To solve the above problems, a firewall system is proposed, in which network traffic is filtered based on clustering results.

A firewall with traffic filtering by mandate labels is known (RU 159041 U1, publ. 01/27/2016), which contains a firewall control unit that makes decisions based on filtering rules, to which network packets arrive; the block of work with mandatory labels, consisting of the block of analysis of packages and the block of decision making. The input of the work unit with mandatory labels from the output of the firewall control unit receives the network packet and the rules for working with network packets containing the mandatory tags, and the output is a solution based on the mandatory tags, which is transmitted to the input of the firewall control unit, after which the control unit the firewall forms the final decision on the further route of the packet.

The main disadvantage of this solution is that the individual categories of the same level are equivalent, which in most cases leads to redundancy of access rights for specific subjects within the respective levels. Also, the implementation of devices with a security policy for mandatory labels is quite complex and requires significant computing system resources.

Known automatic firewall (RU 2580004 C2, publ. 04/10/2016), which is a set of hardware and software, containing at least two network interfaces, and allows you to filter transit traffic without assigning network interfaces to their interfaces. This firewall contains a processor that implements a multi-level filtering network traffic based on the analysis of the direction of traffic transit, determined by the membership of the input and output network interfaces, to the shared segments of the computer network, and also taking into account the analysis of the states of telecommunications transit traffic protocols, and the traffic is filtered on the channel, network and transport levels. The firewall is also designed to allow all traffic through already established connections.

The disadvantage of this screen is that there is no possibility of clustering data, which leads to the complication of data processing.

The prototype of the present invention is a system and method of preparing for the operation of a firewall on the network, disclosed in US 2015089628 A1, publ. 03/26/2015. The prototype solution provides tools for monitoring network usage, setting up content filtering, scheduling access hours for specific network devices, and determining which network devices can connect to the global network. WAN access can be granted or blocked, or limited on the basis of each network device, using parameters such as, but not limited to, for example, time of day, characteristics of the restriction, and classification of the content served by the target resource.

The disadvantage of this solution is the inability to track anomalies in network traffic. In addition, the classification of package contents is not effective, since the rules for distributing objects into groups are predetermined according to certain criteria, and they cannot take into account changes that occur in the network, which must be redistributed when all classification groups are introduced.

Solved technical problem, according to the present invention, is to create a firewall screening system, whose work is simultaneously based on clustering data and identifying anomalies.

The technical result of the present invention is to accelerate the processing of network traffic based on clustering data while simultaneously filtering it due to the fact that each packet passes a set of rules, as well as anomalies.

The technical result is achieved due to the fact that the firewall system contains a processor, machine-readable media, a control unit, a DPI device for parsing and receiving data at the channel, network, transport and application levels, decision block, memory block, anomaly block and log block in which the clustering unit is configured to split the received data when parsing a packet into clusters, and the anomaly detection unit is configured to learn based on traffic information storing Xia in the block of the log.

The invention is illustrated by the drawing, which shows the structure of the firewall system,

According to the proposed technical solution, a firewall system, the structure of which is shown in FIG. 1, contains the processor (1), machine-readable medium (2), control block (3), device (4) DPI (deep packet inspection), block (5) data clustering, block (6) decision making, block (7) memory, block (8) anomaly detection, block (9) of the log. In a preferred embodiment of the invention, the system also comprises a graphical user interface (10).

The processor (1) is a general-purpose processor and serves to execute instructions for processing incoming packets to the control unit (3) and stored on computer-readable media (2). Machine-readable media can include any data carrier or communication medium, such as, but not limited to, volatile and nonvolatile, removable and stationary media, implemented in any method or technology for storing and / or transmitting information, such as computer-readable instructions for a computer. data structures, software modules or other data, including RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage device (RAM), ma netic tape, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed using the system unit (CPU).

The control unit (3) is connected to the device (4) DPI and is configured to preliminary analyze the incoming traffic flow. If it is established that the traffic belongs to an already established connection, that is, such packets with the SYN and ACK flags have already passed through the control unit (3), then the packet can be passed without filtering. In some cases this is especially important, since, for example, a delay of more than 150 milliseconds is unacceptable for two-way voice conversations and a break in communication may occur. A valid time interval for no traffic can also be specified; by default, it is usually 25 seconds. If the time is exceeded, this traffic will apply to the new connection. In addition, for each type of traffic and / or protocol at the user's choice, its own allowable time interval of no traffic can be specified. The control unit (3) may also be configured to buffer data for temporary storage. If the packet belongs to a new connection, then it is sent to the device (4) DPI to parse the packets. Device (4) DPI parses packets with the specification of the IP protocol to receive data at the channel, network, transport and application layers. Device (4) DPI is capable of extracting all used application protocols, tunneled IP addresses, user names, file names, HTTP links and request URLs, server return codes. Examples of data include: obtaining physical addresses of hosts (MAC address), type of network protocol (IPv4 and IPv6), IP addresses of source and destination hosts, type of transport protocol (IP, ICMP, RIP, DDP, ARP, etc.), numbers source and destination ports, as well as LLC, service flags value, TCP “window” value. Examples of application-level data can be remote access and resource sharing protocols such as HTTP, SMTP, FTP, HTTPS, TELNET, SSH, DNS, etc. In this way, application-level data as well as the associated metadata of each network can be obtained. package. Device (4) DPI has its own unique characteristics, which are listed in the embedded signature database. Comparison of the sample from the database with the analyzed traffic allows you to accurately determine the application or protocol. But as new applications and protocols periodically appear, the signature database also needs to be updated to ensure high identification accuracy.

Block (5) of data clustering is used to split data packages into groups (clusters) of similar objects to simplify further data processing and decision making. In this case, each analysis group can be applied to each data group. Block (5) data clustering can be implemented on the basis of neural networks.

The task of clustering can be described as follows. Let x be the set of objects (network protocol type, sender port, receiver port, protocol name, etc.), y be the set of cluster numbers. The function of the distance between objects p (x, x ⁱ ) is given. There is a finite training sample of objects X ^m = {x ₁ , ..., x _m } ⊂X. It is required to split the sample into disjoint subsets, called clusters, so that each cluster consists of objects that are close in the metric p, and the objects of different clusters are significantly different. In addition, each cluster object x _i ∈ X ^{m is} assigned a cluster number y _i .

To group the data, any known algorithms can be used, for example, hierarchical, k-means, c-means, layer-by-layer clustering, Kohonen's neural network. As already mentioned, the similarity of objects is determined by the distance, which can be determined by any known method, for example: Euclidean distance, square Euclidean distance, Manhattan distance, Chebyshev distance, power distance.

Thus, such input data are grouped into clusters, and atypical objects can also be selected that cannot be attached to any of the clusters, which helps to identify network anomalies. The number of clusters can be arbitrary or fixed, while the list of clusters is not clearly defined and is determined in the process of work, depending on the incoming data.

Block (6) of decision making makes a decision on the cluster based on the rules for processing network packets. The operation of the firewall system is determined by a set of rules, for example, IPtables or Suricata, which can be stored in the memory block (7). For each cluster, its own processing rules can be created and set different from other clusters, in other words, certain chains can be created, to which the clusters will be redirected for further processing. Thus, it is enough to create one general rule for a specific cluster, and then redirect the clusters from it into separate chains. Clusters from one own chain to another can also be redirected. This allows you to optimize the processing of network traffic, since each packet from the cluster is processed according to its own rules. Then, on the basis of the decision taken, the packet can be sent to the anomaly detection unit (8) for further verification of the packet, or it can be dropped. In addition, information on any package is simultaneously sent to the logbook block (9). Also, the firewall system can be configured so that the packets are not discarded, but sent to the decision block (3) with subsequent re-clustering in case any inconsistencies with the rules were detected. Based on the temporary storage of files in the buffer (not marked in the drawing), the control unit (1) can establish that such a packet has already passed and set a mark so that when it is re-clustering it would fall into another cluster. And only after re-processing were discarded. The established rules for processing a network packet are periodically refined depending on the traffic passing and the resulting clusters.

Anomaly detection block (8) reveals a significant deviation of network traffic from the usual traffic profile. Anomalies analysis assumes availability of training and statistical analysis for building and updating regular traffic. Examples of anomalies can be a sudden increase in Internet traffic (including at night), a change in the traffic structure (for example, an increase in SSL encrypted traffic) compared to regular daily rates, or the difference between a pair: IP and port from normal, etc. All information about normal traffic can be stored in block (9) of the log based on which the block (8) of anomaly detection can be trained. If the packet does not contain any anomalies, then it is sent to the control unit (3) for further routing, otherwise it is discarded.

In a preferred embodiment of the invention, the firewall system comprises a graphical user interface (10). In this case, if the packet contains anomalies, it is not discarded, but sent to the graphical user interface (10), where it will be checked by the system administrator. The system administrator can take all information about network traffic directly from the logbook block (9), he can also skip the packet manually and send it to the control block (3), and then enter the packet specification into the log block (9).

Block (9) of the logbook collects data about each packet (including discarded ones), which come from block (6) of decision making. This data can also be obtained from the DPI device. In a preferred embodiment of the invention, this data is metadata. Storage of metadata without real content is approximately 1/100 of the compression ratio compared to the raw network traffic and significantly increases the amount of stored information about the packets.

The advantage of the proposed system is that the information on detected atypical packages in block (5) clustering can be immediately sent to the block (9) of the registration log, which can be used to train the block (8) to detect anomalies.

The following is an example embodiment of the invention.

Machine-readable media (2) contains a set of instructions executed by the processor (1) for implementing a method for processing network traffic. When the generated IP packet enters the firewall system, the control unit (3) performs a preliminary analysis of the traffic flow. If, as a result of the analysis, it is determined that the traffic packet belongs to an already established connection, then it is passed without filtering. Otherwise, it is sent to the device (4) DPI to parse the packet. Device Unit (4) DPI parses the packet at the channel, network, transport and application levels to obtain a set of data characterizing the packets, namely: physical addresses of hosts (MAC address), types of network protocols (IPv4 and IPv6), IP addresses of hosts source and destination types, transport protocol types (IP, ICMP, RIP, DDP, ARP, etc.), source and destination port numbers, LLC, value of service flags, TCP “window” value, and also HTTP, SMTP, FTP, HTTPS protocols , TELNET, SSH, DNS, etc. The data obtained is sent to the clustering unit (5). In the specified block, similar data is grouped into clusters. If the clustering process reveals objects that cannot be attached to any of the clusters, then all data of such objects is sent to the logbook block (9). Next, the clusters are sent to decision block (6). For each packet in the clusters, a decision is made based on the rules for processing network packets that can be stored in the memory block (7). As already mentioned, each processing cluster can be set for each cluster. In addition, they can also be updated by the system administrator. Each packet from the cluster is processed in accordance with the rules on the basis of which a decision is made to skip or block a packet. If the packet complies with all the rules, then it is sent for further verification to the anomaly detection unit (8), otherwise the packet is discarded. Also, information about each packet from the block (6) of decisions is entered into the block (9) of the registration log. Anomaly detection block (8) reveals a significant deviation of network traffic from the usual traffic profile. Anomalies analysis assumes availability of training and statistical analysis for building and updating regular traffic. Training takes place on the basis of the data from the block (9) of the registration log, which comes from the cluster (5) clustering and block (6) decision making. Based on the test results, the packet can be sent for further routing to the control unit (3), if no deviations are delayed in it or the packet can be dropped, or, as mentioned above, redirected to the graphical user interface (10), where it will be checked by the system the administrator in accordance with the information in the logbook block (9). It should be clear to a person skilled in the art that a system administrator can skip a packet previously dropped by the decision block (6) or the anomaly detect block (8), and also make changes to the log block (9) and the storage block (7) regarding normal traffic content and update or create new packet processing rules, respectively.

Claims (9)

1. Firewall system containing processor, machine-readable medium, control unit (3), deep packet filtering (DPI) device (4) for parsing and receiving data at the channel, network, transport and application levels, clustering unit (5), block (6) decision making, memory unit (7), Internet traffic anomaly detection unit (8) and logbook unit (9), in which the processor is connected to computer-readable media and control unit (3), control unit (3) is connected to device (4) deep packet filtering (DPI), block (6) with decision making and anomalies detection unit (8), a deep packet filtering (DPI) device (4) is connected to a clustering unit (5), a decision block (6) is connected to a memory unit (7), anomalies detecting unit (8) and a clustering unit (5), an anomaly detection unit (8) is connected to a logbook unit (9), which is connected to a clustering unit (5), the control unit (3) is designed to control traffic flow, clustering unit (5) made with the possibility of splitting the data when parsing the package into a cluster ry; decision block (6) is configured to make decisions on a cluster based on network packet processing rules; block (9) of the log is configured to collect data about each packet; block (8) to detect Internet traffic anomalies is designed to train on the basis of information about the traffic stored in the logbook block (9). 2. The system of claim 1, characterized in that the information for training enters the block (9) of the registration log from the clustering block (5) and the block (6) of decision making. 3. A machine-readable medium containing a set of instructions executed by a processor for implementing a method for processing network traffic, including: preliminary analysis of the incoming traffic flow on the belonging of the traffic to the previously established connection, parsing packets to get data from packets at the channel, network, transport and application levels, splitting data from packets into clusters, Deciding on each packet in clusters based on the established rules for processing network packets; detection of deviations of network traffic that complies with the processing rules from the usual packet traffic profile, clarification of established rules for processing network packets.

Images