Field of the art

The present invention generally relates, in a first aspect, to a method for Malware detection and mitigation, and more specifically to a method for optimizing the performance of detecting and mitigating malware on a network.

A second aspect of the invention relates to a system arranged for implementing the method of the first aspect. Prior State of the Art

MALWARE:

Malware refers to software programs designed to damage or do other unwanted actions on a system. Therefore, Malware could be considering as enabler technology to cybercrime industry.

Malware is growing exponentially year after year and a large percentage of the costs generated by the Malware are borne by the ISPs, which have been forced to add extra capacity in their networks to manage the "extra" traffic. Apart from that, another major disadvantage for ISPs hosting "zombie networks" is the loss of reputation.

Currently, "zombie networks" or botnets generates most of the SPAM in the world. Those "zombies networks" are created thanks to malware is able to compromise systems and take control over them.

DNS:

DNS is a special name and can refer either to the entire worldwide name resolution system, or to the protocol that makes it work.

As DNS protocol definition "the goal of domain names is to provide a mechanism for naming resources in such a way that the names are usable in different hosts, networks, protocol families, internets, and administrative organizations."

DNS system is based on a distributed database among different name servers that makes up the domain space. In general, different parts of the domain space are stored in different name servers.

Frequently DNS servers become an attack targets or a malicious platform. Cybercrime industry uses them into an incorrect way knowingly of its basic service condition.

BotNets: Robot networks are a set of infected PCs controlled centrally to carry out, in an orchestrated way, one (or many) of the following actions:

• DDoS attacks.

• Get private/economical information from the victims.

· Spread malware, working as a distribution new malware platform.

• Send SPAM

When a PC is infected it becomes part of the botnet and, from that moment, it is waiting for the orders of the controller. Meanwhile, the legitimate owner of the PC does not realize what is really happening while he is doing his usual tasks.

The main advantage of using a botnet in a DDoS attack is that the sender is not a unique PC, but hundreds or thousands of them, so it is very difficult to detect and mitigate it.

Anti-malware tools currently existing:

Currently there are several tools to fight malware. The most important are the following ones:

• Detection at the end point: Users must use A/V solutions to check file system, memory and other resources in order to keep safety status.

• Detection at the core of the network: IDS solution can monitor network access and detect malware behavior but this kind of systems is not focus on residential users, it is focus on enterprise environments.

There are alternatives based on few key protocols like DNS or SNMP. For example in DNS case by analyzing DNS traffic process by ISP cache DNS servers or in in the best one of the cases a sample of the traffic that crosses the ISP network is analyzed looking for anomalies in DNS traffic.

Problems with existing solutions:

As described in the previous section there are solutions to fight Malware, but all of them have several problems to solve:

Performance limitation

When the malware infected host detection is carried out in a central point, usually arise performance or scaling problems. This is the case of the following two solutions:

• Detection at the endpoint: Malware "modus operandi" includes unable detection capacities user devices. Because of user equipment provides a non-trust environment to analyze malware threat. • Detection at the core of the network: The detection is carried out using equipment located in the core of the ISP network, so the amount of traffic that must be analyzed is really huge. Also, this can lead to performance/scaling problems.

ISP bandwidth consumption

The farther from the source is the detection / mitigation performed, the more amount of bandwidth will be consumed by malware.

In any of the three existing solutions the detection / mitigation is carried out once the malware has consumed some bandwidth of the ISP core network, which can result in the need to increase the ISPs resources.

ISP reputation loss

When an ISP hosts a large number of infected hosts that perpetrate attacks, send emails or support another malicious activity, there will be an important ISP reputation loss.

The described solutions:

• Detection at the end point

• Detection at the core of the network

Forces ISP clients to assume the malware detection and mitigation responsibility. Besides losing traffic generated by host infected.

Inaccuracy

The detection at the core of the network solution is based on sampling the traffic across the network, so it really does not analyze the whole information to detect malicious activity, but only a minimum part of it. This can lead to an inaccuracy detection mechanism.

On the other hand this solution identifies a user by his/her IP, which can be very imprecise in those ISPs in which private addressing is used, not identifying univocally the user.

Ineffective or nonexistent mitigation measures

The mitigation measures applied by the described solutions are the following ones:

Blocking well known malware domains at the ISP DNS cache: Due to ISPs cannot force their customers to use their name servers, any user or malware sample can avoid such DNS-based filtering by using another name server. DNS black list based technologies cannot keep up with the volume of new domain names used by malware: Solutions based on domain name reputation score assigning are ineffective owing to attackers always use different and new domain names and address space, and besides they never reuses either resource for any other malicious purpose.

Description of the Invention

It is necessary to offer an alternative to the state of the art which covers the gaps found therein, particularly related to the lack of proposals which really allow the detection and mitigation of malware in a network.

To that end, the present invention provides, in a first aspect, a method for malware detection and mitigation, performed in a user-centric Network Anomaly

Detection System, comprising computing means for capturing suspicious data traffic through a plurality of access nodes in a communication network.

On contrary to the known proposals, the method of the first aspect of the invention comprises:

a) detecting, a monitor module, the suspicious data traffic passing through the plurality of access nodes in the communication network; and

b) receiving and analysing, a mitigation module, the suspicious data traffic detected, in order to blocking it in case the suspicious data traffic is infected, the steps a) and b) performed in real time at the origin of the network access node in the communication network and performing the analysis of the suspicious data traffic by inspecting and monitoring a plurality of DNS packets.

In an embodiment, the detection of discontinuous streaming of suspicious data traffic and/or silent streaming periods of time is adapted by means of evaluating several vectors in a period of time in order to establish a list of malicious users and assign a user reputation level.

The identification of the malicious users relies on the server IP address of the access node, however, when this server IP address is dynamically assigned the identification of the malicious users relies on a combination of the IP address and a transmission timestamp.

In another embodiment, alerts to logging facilities are sent between the monitor module and the detector library module and/or between the compiler module and the detector library module. Other embodiments of the method of the first aspect of the invention are described according to appended claims 2 to 9, and in a subsequent section related to the detailed description of several embodiments.

A second aspect of the present invention generally comprises a system for malware detection and mitigation, performed in a user-centric Network Anomaly Detection System, comprising means for detecting suspicious data traffic through a plurality of access nodes in a communication network.

On contrary to the known proposals, the system of the second aspect of the present invention comprises:

- a monitor module arranged for perform the detecting of suspicious data traffic from the communication network; and

- a mitigation module arranged for receive and analyze the suspicious data traffic detected, and in charge of blocking it in case the suspicious data traffic is infected.

In a preferred embodiment, in order to perform the detection and mitigation of the suspicious data traffic, the system comprises a first detector library arranged to the monitor module, a second detector library arranged to the compiler module and a mitigator library arranged to the mitigator module.

In another preferred embodiment, the mitigator module can be arranged in the same or in a different physical device within the access node.

Finally, the system is integrated in a specific card or as plug-in within the access node.

The system of the second aspect of the present invention is arranged for implement the method of the first aspect.

Other embodiments of the second aspect of the invention are described according to appended claims 1 1 to 17, and in a subsequent section related to the detailed description of several embodiments.

Brief Description of the Drawings

The previous and other advantages and features will be more fully understood from the following detailed description of embodiments, with reference to the attached drawings, which must be considered in an illustrative and non-limiting manner, in which:

Figure 1 shows an example of the IH-DMSON architecture proposed in the present invention. Figure 2 shows an example of the monitor and detector library components used in the present invention.

Figure 3 shows an example of the compiler and the detector library components used in the present invention.

Figure 4 shows an example of the mitigator and mitigator library components used in the present invention.

Figure 5 shows a possible sequence diagram between the monitor module and the compiler module, according to an embodiment of the present invention.

Figure 6 shows a possible sequence diagram between the monitor module and the compiler module, with the deployed databases USERDB and SERVERDB, according to an embodiment of the present invention.

Figure 7 shows an example on how the traffic analysis is done by the IH- DMSON detection algorithm in the monitor module, according to an embodiment of the present invention.

Figure 8 shows an example on how the traffic analysis is done by the IH-

DMSON detection algorithm in the compiler detector library module, according to an embodiment of the present invention.

Figure 9 describes the mitigation algorithm used in the present invention. Detailed Description of Several Embodiments

The proposed invention proposes a malware Infected Hosts Detection and Mitigation System On-Net (IH-DMSON) regarding hardware and software equipment to be included in the network access nodes, for example, integrated in a specific card within the node.

This present invention will enable:

• Holistic security approach: Detection and Mitigation in real time of malicious traffic by mean of detailed analysis of traffic at network access nodes. This system allows to, on the one hand, detecting infected customer detection at origin, and on the other hand, to mitigate only suspected infected customer in order to only legitimate customers and/or traffic could be avoided to be blocked.

• Real time reaction capacity: Doing the traffic analysis in a lightweight manner in real time, since the system only inspects DNS packets passing through the access node. • Trust-ability context: Fine-grained detection and Real time reaction capacity are able to implement an access trust-ability context. Providing a dynamic user trust level enables a high accuracy mitigation level.

The proposed invention supposes a specific implementation of a Network Anomaly Detection System (NADS), adding new functional module for the detection and mitigation, of suspected infected customer and a specific Malware detection algorithm, analyzing in-depth several kinds of traffic (DNS).

The Infected Host Detection and Mitigation System (IH-DMSON) defined in this invention concerns a hardware and software system which implements a lightweight detection and mitigation algorithm in real time based on the inspection of the DNS traffic (requests going through the access nodes, such as BRAS and GGSN, in the ISP network), incorporating a set of security functions into networks nodes which do not only work with aggregate traffic but also fine-grained. The invention will be included in these nodes integrated in a specific card or as a plugin, which can be added to an existing node.

IH-DMSON Architecture

Figure 1 depicts the IH-DMSON architecture, including its components and the interaction between them, used in the present invention.

The modules defined in this system are:

· PROBE: monitoring point, providing a copy of the network traffic to the

Detector.

• MONITOR: receives the traffic from the PROBE module, being responsible for the invocation of the Detector process that performs the IH-DMSON Detection Algorithm.

· MONITOR DETECTOR LIBRARY: supposes the library that implements the

I H-DMSON Detection Algorithm to detect infected users. It presents in MONITOR and COMPILER modules. It is responsible for analyzing in online mode.

• COMPILER: responsible for COMPILERS invocation when the system works in offline mode. It runs once the traces storing phase ends.

• COMPILER DETECTOR LIBRARY: supposes the library that implements the IH-DMSON Detection Algorithm to detect infected users. It presents in COMPILER and MONITOR modules. It is responsible for analyzing in offline mode. • MITIGATOR: receives traffic passing through the access node, applying mitigation according to the IH-DMSON Mitigation Algorithm, in charge of blocking illegitimate traffic.

• MITIGATOR LIBRARY: library that implements the IH-DMSON Mitigation Algorithm.

• USER DB: contents key users information. Its determine MITIGATOR LIBRARY actions joined SERVER DB data. MONITOR DETECTOR LIBRARY and COMPILER DETECTOR LIBRARY store user information after processing flows. Information will remain in time.

· SERVER DB: contents key servers information. Its determine MITIGATOR

LIBRARY actions joined USER DB data. MONITOR DETECTOR LIBRARY and COMPILER DETECTOR LIBRARY store server information after processing flows. Information will remain in time.

PROBE

Since detection carried out by the IH-DMSON needs a copy of the traffic passing through the access node, this copy will be taken per-software basis, using a unique physical access to the network traffic.

To capture those packets from the physical-media and preparing them for the detection algorithm, the PROBE component is defined.

MONITOR and DETECTOR LIBRARY

Once the network traffic is aggregated into flows, it is ready to be analyzed using the online modules of IH-DMSON detection algorithm, this module is able to store the results of the detection algorithm.

The relationship between the MONITOR and the DETECTOR LIBRARY includes the possibility of sending alerts to logging facilities.

COMPILER and DETECTOR LIBRARY

Again, once the network traffic is aggregated into flows and MONITOR DETECTOR LIBRARY has analyzed it, it is ready to be analyzed using the offline modules of IH-DMSON detection algorithm, this module is able to store the results of the detection algorithm.

The relationship between the COMPILER and the DETECTOR LIBRARY also includes the possibility of sending alerts to logging facilities.

MITIGATOR Once the DETECTOR has accomplished with its function of detecting suspicious infected users, the DNS communication will be mitigated, for example, being blocked, using the component called MITIGATOR. This element analyses the traffic passing through the access node and invokes the MITIGATOR LIBRARY, which implements the MALWARE-DSON Mitigation Algorithm. The MITIGATOR LIBRARY needs the information previously stored as result of the detection algorithm to allow or block the suspected DNS traffic. Besides, the MITIGATOR LIBRARY would be used to dynamically change the mitigation algorithm and its settings.

Architecture interfaces

MONITOR-COMPILER

As showed in Figure 5, the communication between the MONITOR and the COMPILER uses FLOWS, USERDB and SERVERDB databases to perform the communication between DETECTORS LIBRARIES.

The deployed database named FLOWS must allow the MONITOR to store the flows built in the exchange format agreed between the PROBE and the MONITOR. These stored flows can be queried by the COMPILER as well, which will generate new data and store them in another database (like SERVERDB or USERDB).

The deployed databases named USERDB and SERVERDB must allow the MONITOR to store the user and servers information built in a different format with respect to agree between the PROBE and the MONITOR (see Figure 6). These stored records can be queried by the MITIGATOR, through MITIGATOR LIBRARY, as well, which will use during mitigation process.

USERDB and SERVERDB store user and server records. These records contain related user or server information generated by DETECTOR LIBRARY.

I H-DMSON Detection Algorithm

The objective of this algorithm is detecting suspicious infected users, in a lightweight manner by monitoring DNS requests and responses. User equipment compromised by a malware could act as a botnet node, bot, being used to participate into DDoS attacks or into other threats.

Though the bot behavior could have different flavors and the DNS stream could not be continuous, with long intervals waiting silently without sending anything, the IH- DMSON detection algorithm will be able to detect these behaviors since it evaluates several vectors within an interval of time, in order to establish the list with the malicious users and assign an user reputation level. These detection vectors/features to evaluate are the following: DNS server

Starred domains

Known domains

CDN domains

Suspicious domains

W/B list checking

Dynamic DNS domains

Response CODE

Packet size

· Domain Depth

Label length

Query dissection

Throughtput

Response FLAGS

· Response Type

RRSet encapsulation

Dynamic Generator Algorithm

Domain character

Domain Name Cluster

· GeolP(AS/BGP)

Domain Registering

As inferred from the list of vectors, the suspected infected host identity in these algorithms relies on the server IP address. However, when this IP address has been assigned dynamically, other ways to identify a user should be used. For example, a combination of user IP address and the transmission timestamp, which needs a request to an external system like RADIUS, or a combination of IP Address and other transmission features within the access node for that traffic, like the sub-interface or the port used for that communication.

In an embodiment, Figure 7 shows the traffic analysis done by the IH-DMSON Detection Algorithm used by the MONITOR. Taking this figure as basis, the data flow (1 ) to obtain the former information records is analyzed as follows:

• DNS traffic, to calculate each record based on vectors algorithmic. Each generated records, calculated by each process (2), are stored (3) into database and each process must update user values or server values where applicable. User information has associated a variable number of records, and these values determine user security level or "trust-ability" index. At the flow ends alerts generated by process can be sent to third party systems (4).

In another embodiment, Figures 8 shows the IH-DMSON Detection Algorithm used by the COMPILER. Taking this figure as basis, the data flow (1 ) to obtain the former information records is analyzed as follows:

• DNS traffic, to calculate information records. COMPILER DETECTOR LIBRARY process works in a parallels way. Each process (2) can update or add database records (3). At the flow ends alerts generated by process can be sent to third party systems (4).

Each configured interval of time, the detection counters are evaluated using the corresponding thresholds set for the algorithm execution. Thus, when the user DNS traffic has increased substantially, exceeding the configured thresholds, it indicates that a bot has probably infected the user. In this case, the user will be increased its reputation level.

As noted above, COMPILER DETECTOR LIBRARY works in an offline mode unlike MONITOR DETECTOR LIBRARY. In order to achieve better performance, heavier vectors to evaluate are performed in COMPILER module.

IH-DMSON Mitigation Algorithm

Figure 9 describes the IH-DMSON mitigation algorithm used in the present invention.

Mitigation consists of dropping the user traffic from a suspicious IP detected by the IH-DMSON detection algorithm or another action using MITIGATOR alerts. These actions could be based on public proposed standards or ISP proposed.

Through the DNS traffic detection (1 ) at the access node, if the origin IP addresses belongs to an infected host (2) then traffic flow will be dropped and an alert will be generated. This occurs only in case this IP address has an assigned critical reputation level. If User infected level is considered safe (3), Input data is DNS traffic (UDP or TCP transport protocol) (5), and Server infected level is not safe then detection algorithm will drop flow (6). In other case (7) flow forward (8).

Advantages of the Invention:

Including the Infected Host Detection and Mitigation System in the ISP network at the access nodes will provide the following advantages: • Infected Host detection and mitigation at the network edge, a functionality that currently is not given by any equipment at this point.

• Quick and lightweight detection in real time, to react as soon as possible and to avoid overloading the network node that will process the traffic.

• DNS flows are depth analyzed which supposes a substantial difference with other inventions based on DNS content analysis. Furthermore, it also protects privacy of user messages.

• Efficiency through processing distribution, since the MITIGATOR can easily work in a different physical device within the access node, different from the device/s used by the rest of the components in the architecture.

• Since detection is performed at origin in the network access nodes, suspected infected access belonging to the ISP network can be detected avoiding NAT (use of private IP addressing) related problems.

• Dropping traffic prevent that infected users could be included into blacklists.

• Undesirable traffic will be mitigated, optimizing network resources and, obviously, impacting on the network dimensioning.

• Diminishing ISP costs related to the customer tickets due to legitimate traffic blocks.

• Providing an infrastructure protection against attacks.

• Improving ISP reputation.

A person skilled in the art could introduce changes and modifications in the embodiments described without departing from the scope of the invention as it is defined in the attached claims.

ACRONYMS

BRAS Broadband Remote Access Server

DDoS Distributed Denial of Service

DNS Domain Name System

GGSN Gateway GPRS Support Node

ISP Internet Service Provider

NADS Network Anomaly Detection System

NAT Network Address Translation

RADIUS Remote Authentication Dial-In User Server

SPAM Junk mail

TCP Transport Control Protocol

UDP User Datagram Protocol