Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
PROTECTION AGAINST MALICIOUS DATA TRAFFIC
Document Type and Number:
WIPO Patent Application WO/2021/123491
Kind Code:
A1
Abstract:
The present invention relates to a method for defending against a malicious data traffic, the method comprises: monitoring (310), by a defender device (230), data traffic flowing through a network device (120); generating (330) a first control signal, by the defender device (230), in response to a detection (320) that the data traffic comprises a predefined amount of malicious data traffic, to cause a delivery of the data traffic to the defender device (230); terminating (340) the malicious data traffic in the defender device (230). The invention also relates to an apparatus implementing the method, a computer program product and a system.

Inventors:
ROUVINEN JARMO TAPIO (FI)
Application Number:
PCT/FI2019/050919
Publication Date:
June 24, 2021
Filing Date:
December 20, 2019
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
AIRO FINLAND OY (FI)
International Classes:
H04L29/06; G06F21/55
Domestic Patent References:
WO2017196558A12017-11-16
WO2018224720A12018-12-13
Foreign References:
EP1691529A12006-08-16
US9756075B12017-09-05
Attorney, Agent or Firm:
BERGGREN OY (FI)
Download PDF:
Claims:
WHAT IS CLAIMED IS:

1. A method for defending against a malicious data traffic, the method com prises: monitoring (310), by a defender device (230), data traffic flowing through a network device (120), generating (330) a first control signal, by the defender device (230), in re sponse to a detection (320) that the data traffic comprises a predefined amount of malicious data traffic, to cause a delivery of the data traffic to the defender device (230), terminating (340) the malicious data traffic in the defender device (230).

2. The method of claim 1 , wherein a monitoring (310) of the data traffic is performed by receiving, by the defender device (230), a copy of at least one mirrored data packet transported in the data traffic from the network device (120).

3. The method of claim 2, wherein the copy of the at least one data packet is received through a monitoring port (220) of the network device (120).

4. The method of any of the preceding claims, wherein a generation (330) of the first control signal to deliver the data traffic to the defender device (230) is performed to at least one network device (120) by generating a control frame to the at least one network device (120), the control frame comprising data in dicating a location of an address transformation information for directing the data traffic to the defender device (230).

5. The method of claim 4, wherein the at least one network device (120) is at least one of: at least one network device arranged to operate on Layer 2, at least one network device arranged to operate on Layer 3, at least one connec tivity network, a communication network arranged to operate on Layer 2, a communication network arranged to operate on Layer 3.

6. The method of any of the preceding claims, wherein the generation of the first control signal is repeated a number of times.

7. The method of any of the preceding claims, the method further compris ing: generating (410), by the defender device (230), a second control signal to the at least one network device (120) to cancel a delivery of the malicious data traffic to the defender device (230).

8. The method of claim 7, wherein a generation of the second control signal is repeated a number of times.

9. The method of claim 7, wherein the second control signal to cancel the delivery of the malicious data traffic to the defender device (230) is delivered to the at least one network device (120) in the context of the delivery of the in struction to deliver the data traffic to the defender device (230), the second control signal to cancel the delivery of the data traffic comprises a definition of a time window the network device (120) is instructed to deliver the data traffic to the defender device (230). 10. The method of any of the preceding claims, wherein the defender device

(230) is set hidden by defining a MAC address of the defender device (230) in a manner deviating from a MAC address space reserved for the network de vices (120).

11. The method of any of the preceding claims, wherein the defender device (230) is set hidden by applying a MAC address of another network device

(120) as the MAC address of the defender device (230). 12. A defender device (230), comprising: at least one processor (610); and at least one memory (620) including computer program code (625); the at least one memory (620) and the computer program code (625) config- ured to, with the at least one processor (610), cause the defender device (230) to: monitor (310) data traffic flowing through a network device (120), generate (330) a first control signal in response to a detection (320) that the data traffic comprises a predefined amount of malicious data traffic, to cause a delivery of the data traffic to the defender device (230), terminate (340) the malicious data traffic.

13. The defender device (230) of claim 12, wherein the defender device (230) is arranged to perform a monitoring (310) of the data traffic by receiving a copy of at least one mirrored data packet transported in the data traffic from the network device (120).

14. The defender device (230) of claim 13, wherein the defender device (230) is arranged to receive the copy of the at least one data packet through a moni toring port (220) of the network device (120).

15. The defender device (230) of any of the preceding claims 12 - 14, where- in the defender device (230) is arranged to perform a generation (330) of the first control signal to deliver the data traffic to the defender device (230) by generating a control frame to the at least one network device (120), the control frame comprising data indicating a location of an address transformation in formation for directing the data traffic to the defender device (230). 16. The defender device (230) of claim 15, wherein the at least one network device (120) to which the defender device (230) is arranged to generate the first control signal is at least one of: at least one network device arranged to operate on Layer 2, at least one network device arranged to operate on Layer 3, at least one connectivity network, a communication network arranged to op erate on Layer 2, a communication network arranged to operate on Layer 3. 17. The defender device (230) of any of the preceding claims 12 - 16, where in the defender device (230) is arranged to repeat the generation of the first control signal in a number of times.

18. The defender device (230) of any of the preceding claims 12 - 17, the de fender device (230) is further arranged to: generate (410) a second control signal to the at least one network device (120) to cancel a delivery of the malicious data traffic to the defender device (230).

19. The defender device (230) of claim 18, wherein the defender device (230) is arranged to repeat a generation of the second control signal in a number of times. 20. The defender device (230) of claim 18, wherein the defender device (230) is arranged to deliver the second control signal to cancel the delivery of the malicious data traffic to the defender device (230) to the at least one network device (120) in the context of the delivery of the instruction to deliver the data traffic to the defender device (230), the second control signal to cancel the de- livery of the data traffic comprises a definition of a time window the network device (120) is instructed to deliver the data traffic to the defender device (230).

21. The defender device (230) of any of the preceding claims 12 - 20, where in the defender device (230) is set hidden by defining a MAC address of the defender device (230) in a manner deviating from a MAC address space re served for the network devices (120). 22. The defender device (230) of any of the preceding claims 12 - 21 , where in the defender device (230) is set hidden by applying a MAC address of an other network device (120) as the MAC address of the defender device (230).

23. A computer program product for defending against a malicious data traffic which, when executed by at least one processor, cause an apparatus to per form the method according to any of claims 1 - 11.

24. A system, comprising: a plurality of network devices (120) communicatively connected to each other, a defender device (230) according to any of claims 12 - 22.

Description:
PROTECTION AGAINST MALICIOUS DATA TRAFFIC

TECHNICAL FIELD

The invention concerns in general the technical field of communication net- works. More particularly, the invention concerns a solution for protecting the communication networks against service attacks.

BACKGROUND

Communication in today’s world is heavily based on communication networks. The development in the area of the communication networks has been tre mendous especially during the past decades. However, the more important the communications networks have become the more attractive targets they are for criminals. One way to disturb data traffic in the communication network is to generate there an amount of malicious data traffic which jams at least in part the communication network and/or network elements implementing operations enabling the data traffic in the communication network.

The malicious data traffic may be related to so called Distributed Denial of Ser vice attack (DDOS) which is a common abuse in the communications net works. The distributed denial of service attack is an attempt to prevent or to impair a legitimate use of a service in the communications network through harnessing a number of network elements to generate and to transmit mali cious data to a target address or even from there.

In Figure 1 it is illustrated an example of the DDOS attack in which the attack ing party 110 harnesses a plurality of network devices 120A, 120B, 120C to transmit malicious data to the target 130. A non-limiting example of the net work device 120A, 120B, 120C may be so-called DNS (Domain Name Service) Resolver. In the manner as illustrated in Figure 1 it is possible to achieve so- called volumetric DDOS attack because by harnessing a plurality of network devices 120A, 120B, 120C in the task the attack may be amplified and deliv ered to the target over a plurality of network paths (also called as DDOS vec tors). The target 130 shall be understood to a single network device, such as terminal device or a server device, but it may also refer to a sub-network of the communication network, such as a private communication network. As said, Figure 1 illustrates only one example of DDOS attack, but other types of DDOS attacks exists, such as application layer attacks and protocol attacks.

There are developed some solutions to protect the target 130 from receiving malicious data traffic. This may be arranged by directing the data traffic from the communication network to a cloud service, which is arranged to inspect the received data and if some malicious data traffic is found, it is filter out from the received data and the actual data, i.e. the cleaned data, is delivered to the tar get 130. Other prior art solutions are based on application level solutions (cf. L7 in OSI model) in which any detection and filtering of the malicious data traf fic is performed by an application executing the task in a network device in question, such as in the terminal device.

Generally speaking, the existing solutions for protecting against malicious data traffic are typically based on a monitoring of an amount of data traffic (applying so-called baselining) and/or on a behaviour analysis of network and/or network entities under monitoring. However, the drawback of the existing solutions is that they become unreliable when a network environment changes, such as when new applications/connections are introduced and/or existing applications are disabled and/or a structure of the network changes and/or changes in user accounts, and so on.

Hence, there is need to introduce further solutions to mitigate effects of mali cious data traffic in the communication networks. SUMMARY

The following presents a simplified summary in order to provide basic under standing of some aspects of various invention embodiments. The summary is not an extensive overview of the invention. It is neither intended to identify key or critical elements of the invention nor to delineate the scope of the invention. The following summary merely presents some concepts of the invention in a simplified form as a prelude to a more detailed description of exemplifying em bodiments of the invention.

An object of the invention is to present a method, an apparatus, a computer program product and a system for defending against malicious data carried in a communication network. Another object of the invention is that the method, the apparatus, the computer program product and the system is suitable to remove the malicious data from communication at least in part.

The objects of the invention are reached by a method, an apparatus, a com- puter program product and a system as defined by the respective independent claims.

According to a first aspect, a method for defending against a malicious data traffic is provided, the method comprises: monitoring, by a defender device, data traffic flowing through a network device; generating a first control signal, by the defender device, in response to a detection that the data traffic com prises a predefined amount of malicious data traffic, to cause a delivery of the data traffic to the defender device; terminating the malicious data traffic in the defender device.

A monitoring of the data traffic may be performed by receiving, by the defender device, a copy of at least one mirrored data packet transported in the data traf fic from the network device. For example, the copy of the at least one data packet is received through a monitoring port of the network device. Moreover, a generation of the first control signal to deliver the data traffic to the defender device may be performed to at least one network device by generat ing a control frame to the at least one network device, the control frame com prising data indicating a location of an address transformation information for directing the data traffic to the defender device. The at least one network de vice may e.g. be at least one of: at least one network device arranged to oper ate on Layer 2, at least one network device arranged to operate on Layer 3, at least one connectivity network, a communication network arranged to operate on Layer 2, a communication network arranged to operate on Layer 3. Further, the generation of the first control signal may be repeated a number of times.

The method may further comprise: generating, by the defender device, a sec ond control signal to the at least one network device to cancel a delivery of the malicious data traffic to the defender device. A generation of the second con- trol signal may be repeated a number of times.

Alternatively or in addition, the second control signal to cancel the delivery of the malicious data traffic to the defender device may be delivered to the at least one network device in the context of the delivery of the instruction to de liver the data traffic to the defender device, the second control signal to cancel the delivery of the data traffic comprises a definition of a time window the net work device is instructed to deliver the data traffic to the defender device.

Furthermore, the defender device may be set hidden by defining a MAC ad dress of the defender device in a manner deviating from a MAC address space reserved for the network devices. Alternatively or in addition, the defender device may be set hidden by applying a MAC address of another network device as the MAC address of the defend er device. According to a second aspect, a defender device is provided, the defender de vice comprising: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the defender device to: monitor data traffic flowing through a network device; generate a first con trol signal in response to a detection that the data traffic comprises a prede fined amount of malicious data traffic, to cause a delivery of the data traffic to the defender device; terminate the malicious data traffic.

The defender device may be arranged to perform a monitoring of the data traf- fic by receiving a copy of at least one mirrored data packet transported in the data traffic from the network device. For example, the defender device may be arranged to receive the copy of the at least one data packet through a monitor ing port of the network device.

The defender device may be arranged to perform a generation of the first con- trol signal to deliver the data traffic to the defender device by generating a con trol frame to the at least one network device, the control frame comprising data indicating a location of an address transformation information for directing the data traffic to the defender device. For example, the at least one network de vice to which the defender device is arranged to generate the first control sig- nal may be at least one of: at least one network device arranged to operate on Layer 2, at least one network device arranged to operate on Layer 3, at least one connectivity network, a communication network arranged to operate on Layer 2, a communication network arranged to operate on Layer 3.

Moreover, the defender device may be arranged to repeat the generation of the first control signal in a number of times.

The defender device may further be arranged to: generate a second control signal to the at least one network device to cancel a delivery of the malicious data traffic to the defender device. The defender device may be arranged to repeat a generation of the second control signal in a number of times. Alternatively or in addition, the defender device may be arranged to deliver the second control signal to cancel the delivery of the malicious data traffic to the defender device to the at least one network device in the context of the deliv ery of the instruction to deliver the data traffic to the defender device, the sec- ond control signal to cancel the delivery of the data traffic comprises a defini tion of a time window the network device is instructed to deliver the data traffic to the defender device.

Moreover, the defender device may be set hidden by defining a MAC address of the defender device in a manner deviating from a MAC address space re- served for the network devices.

Alternatively or in addition, the defender device may be set hidden by applying a MAC address of another network device as the MAC address of the defend er device.

According to a third aspect, a computer program product for defending against a malicious data traffic is provided which, when executed by at least one pro cessor, cause an apparatus to perform the method according to the first as pect.

According to a fourth aspect, a system is provided, the system comprising: a plurality of network devices communicatively connected to each other, and a defender device according to the second aspect.

The expression "a number of” refers herein to any positive integer starting from one, e.g. to one, two, or three.

The expression "a plurality of” refers herein to any positive integer starting from two, e.g. to two, three, or four. Various exemplifying and non-limiting embodiments of the invention both as to constructions and to methods of operation, together with additional objects and advantages thereof, will be best understood from the following description of specific exemplifying and non-limiting embodiments when read in connection with the accompanying drawings.

The verbs “to comprise” and “to include” are used in this document as open limitations that neither exclude nor require the existence of unrecited features. The features recited in dependent claims are mutually freely combinable un less otherwise explicitly stated. Furthermore, it is to be understood that the use of “a” or “an”, i.e. a singular form, throughout this document does not exclude a plurality. BRIEF DESCRIPTION OF FIGURES

The embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings.

Figure 1 illustrates schematically an example of a DDOS attack.

Figure 2 illustrates schematically a communication system according to an embodiment of the invention.

Figure 3 illustrates schematically a method according to an embodiment of the invention.

Figure 4 illustrates schematically further aspects of a method according to an embodiment of the invention. Figure 5 illustrates schematically further aspects relating to a communication system according to an embodiment of the invention.

Figure 6 illustrates schematically a defender device according to an embodi ment of the invention. DESCRIPTION OF THE EXEMPLIFYING EMBODIMENTS

The specific examples provided in the description given below should not be construed as limiting the scope and/or the applicability of the appended claims. Lists and groups of examples provided in the description given below are not exhaustive unless otherwise explicitly stated.

Figure 2 illustrates schematically a communication system, or a communica tion environment, into which a network device called as a defender device 230 may be connected to perform a task providing a protection in the communica tion path between communicating entities and to entities communicatively connected to the communication network 210. The connection of the defender device 230 to the communication path may e.g. be arranged so that it is not an inline device or a single point of failure device but arranged so that it may transmit control signals either directly or indirectly to one or more network enti ties in the communication path. For example, the control signals may be transmitted through e.g. an applicable application or client port of the defender device 230 and an access port of the network device 120 (indicated with two- headed arrow between the defender device 230 and the network device 120 in Figure 2). Further, the defender device 230 may be communicatively connect ed as a hidden device to the communication path as will be described in the forthcoming description. Moreover, as schematically illustrated in Figure 2 the defender device 230 is arranged to monitor a network device 120 through an applicable monitoring port 220, such as a mirror port of the network device 120, and, hence, data traffic transported over the network device 120. In ac cordance with some embodiments of the present invention the defender device 230 may be connected in the communication path by using so-called hidden, or stealth, MAC (media access control) address in order to stay invisible, but operable, to the other entities in the communication path. An advantage of ar ranging the defender device 230 to be hidden is that other network entities cannot find the defender device 230 e.g. by pinging, or with any similar query or scanning (cf. e.g. ICMP-ping, DNS request, SNMP request, HTTP/HTTPs status request, upnp request, and so on). The hidden MAC address does not correspond to so-called normal MAC address i.e. the MAC address assigned to an application port of the defender device 230 but is imaginary. The term “imaginary” here shall at least to be understood so that a syntax of the hidden MAC address corresponds to the normal MAC address, but the content of the hidden MAC address is selected from an address space not corresponding to any reserved addresses, such as by device manufacturers. In other words, the hidden MAC address is not linked anyhow to so-called electronics of the de fender device 230. Hence, attacking the defender device 230 cannot be initiat- ed due to a stealth nature of the device. Even if the defender device 230 is ar ranged to be hidden normal communication protocols, such as MAC, IP, UDP, or TCP may be applied in the communication.

By summarizing the above given description the defender device 230 is set hidden against the communication path because the mirror port of the network device 120 is not used for transmitting any data, which means that any device, such as the defender device 230, behind the mirror port is not visible to the communication path. Moreover, since the other port of the defender device 230, i.e. the application port, used for the control signals and for terminating the malicious data traffic to the defender device 230 is also set hidden in the above described manner, the defender device 230 is hidden towards the communication path, and towards any network device communicatively con nected to the communication path.

The monitored network device 120 may e.g. be a device implementing com munication functions on Layer 2 (L2) or on Layer 3 (L3) environment in terms of OSI (Open Systems Interconnection) model. L2 refers to data link layer and L3 refers to network layer in the OSI model and implement corresponding pro tocols, such as IP. As a non-limiting example, the network device 120 under monitoring may be a switch, a routing device, a firewall, a packet flow system or any similar. In accordance with example embodiments the network device 120 is involved in a transmission of data packets from the communication net- work 210 to a target entity 130. The target entity 130 may e.g. be a single net work device, such as terminal device or a server device, but it may also refer to a separate network from the communication network 210 or a sub-network of the communication network 210, such as a private communication network. In Figure 2 an attacking party 110 may attack to the target entity 130 by generat ing either directly or indirectly malicious data to be delivered to the target entity 130 along other data traffic. For example, the attack type caused by the attack ing party 110 may be so-called Distributed Denial of Service (DDOS) attack in which the attacking party 110 may harness a plurality of network entities e.g. residing in the communication network 210 e.g. to generate and at least to transmit malicious data to the target entity 130. For sake of clarity it is worth while to mention that the defender device 230 may also be arranged to monitor the data traffic from the target entity 130 towards the communication network 210 delivered over the network device 120 under monitoring. It is also worth- while to mention that the communication path between the communicating en tities may comprise a number of network entities through which the data pack ets of the data traffic may be transported.

Next further aspects are discussed by referring to Figure 3 illustrating schemat ically a method according to an example embodiment. At least one objective achieved with the method is to defend against a malicious data traffic carried by the entity monitored by a defender device 230. Flence, the method accord ing to the example embodiment as illustrated in Figure 3 is described from the defender device 230 point of view. As said, the defender device 230 may be arranged to monitor 310 data traffic flowing through a network device 120. The defender device 230 may be connected in parallel to the data connection and the monitored entity, i.e. the network device 120, therein. The parallel connec tion may be arranged so that the defender device 230 is arranged to monitor 310, or listen to, the data traffic flowing over the network device 120 through an applicable monitoring port of the network device 120. The applicable moni- toring port 220 may e.g. be a mirror port, or any port that mirrors, such as cop ies, the data packets of the data traffic i.e. performs port mirroring e.g. with so- called switched port analyzer (SPAN) feature especially in devices implement ing communication on L2/L3 layers. In case of packet flow system an applica ble monitoring port may e.g. be so-called monitor port. In other words, the monitoring may be performed at OSI Layer 2 (MAC data traffic) or at OSI Layer 3 (IP data traffic) or at both. Through the monitoring 310 in the described man ner a detection 320 may be performed if the data traffic comprises malicious data or not. The detection may be based on a monitoring of an amount of data traffic (e.g. through the network device 120 under monitoring), a direction of the data traffic, a location of the data traffic in the network, a type of the data traffic (e.g. from one to one, from one to many, from many to one, from many to many), applied protocols, UDP/TCP port numbers, or any combination of these. In some non-limiting examples, the defender device 230 may be ar ranged to apply machine learning for understanding a typical operation of the communication network, or one or more network devices, it resides to, and a deviation more than allowed may automatically be detected. Still further, in some example embodiments a limit may be set defining an amount of mali cious data that is accepted in the data traffic. The limit may e.g. be expressed as a percentage of the total amount of traffic. In other words, if the data traffic comprises malicious data traffic less than allowed, the monitoring 310 may be continued. However, if an outcome of the monitoring 310 is that an amount of malicious data traffic that exceeds the allowed limit is detected 320, further op erations may be performed. In accordance with the example embodiment the defender device 230 may be arranged to generate a first control signal, i.e. to instruct, in response to the detection that the data traffic comprises a prede- fined amount of malicious data traffic, to one or more network devices 120 through which the malicious data traffic is transported to the network device 120 under monitoring to deliver the data traffic to the defender device 230. In other words, the defender device 230 may generate the first control signal also to other network devices than to the monitored network device 120 only. For example, the first control signal may be generated, i.e. composed and trans mitted, by applying respective L2/L3 communication protocols to all network devices serving the network operation on a certain layer of the OSI model, such as on Layer 2 or Layer 3. The control signal may be generated concur rently to one or a plurality of network devices. By applying the L2/L3 communi cation protocols for controlling there is no need to know the destination devices since the control signal is automatically distributed in the communication path in a broadcast manner. In accordance with at least some embodiments of the invention the defender device 230 may have access to data defining the net work devices in the communication path in question or the defender device may be arranged to learn a structure of the communication network through machine-learning or by receiving definitions e.g. manually from a user, for ex ample.

Next, some further aspects are described regarding the first control signal. Namely, the first control signal may be generated so that the one or more net work devices 120 receive a control frame comprising data indicating a location of an address transformation information for directing the data traffic to the de fender device 230. In other words, the defender device 230 instructs the re spective network device 120 on a destination address for the data packets in the data traffic to correspond to its own application port defined as the hidden MAC address and, hence, makes itself known in the communication path. Hence, if the network device 120 receiving the first control signal operates on a Layer 2 in the OSI model, e.g. being a L2 switch, the destination address of the protected network device 120 is defined to be a MAC address of the appli cation port of the defender device 230 (i.e. the hidden MAC). In this manner, it is possible to cause the network devices 120 operating on Layer 2 to update so-called Content Addressable Memory (CAM) table and FIB/MAC table (FIB; Forwarding Information Base) accordingly with the new MAC information i.e. the application port of the defender device 230, which cause the malicious da ta traffic to terminate in the defender device 230. The CAM table is a system memory construct used by Ethernet switch logic which stores information such as MAC addresses available on physical ports with their associated VLAN Pa rameters. Correspondingly, FIB table is typically used in network bridging, rout- ing, and similar functions to find the proper output network interface to which the input interface should forward a packet. More specifically, a non-limiting example of the control frame for L2 devices for terminating the data traffic in question to the defender device 230 is shown in the table 1 below which may be applied to at least for the following network types: L2 Physical Connectivity Networks (Physical MAC addresses used in connectivity networks), L2 Net works (Physical MAC addresses used in L2 network) or L2 Virtual Connectivity Networks (Virtual MAC addresses used in connectivity networks (e.g. Hot Standby Router Protocol (HSRP) and/or Virtual Router Redundancy Protocol (VRRP) environments):

TABLE 1 (L2 CONTROL FRAME)

Hence, the control frame as schematically illustrated in the table 1 above may be delivered by the defender device 230 to all Layer 2 or Layer 3 network de vices operating in the respective L2 network, or in VLAN (Virtual Local Area Network) which makes the network devices aware of a location of an address transformation information for directing the data traffic to the defender device 230 in response to the detection of the malicious data traffic as described and when a defend against the malicious data traffic is activated.

Similarly, if the network device 120 receiving the first control signal operates on a Layer 3 in the OSI model, e.g. being a L3 router-switch, the destination address defined by a combined MAC address and IP address is defined to be the application port of the defender device 230. In this manner, it is possible to cause the network devices 120 operating on Layer 2 to update so-called Con tent Addressable Memory (CAM) table and FIB/MAC table (FIB; Forwarding In- formation Base) accordingly with the new MAC information as described above. Additionally, an Address Resolution Protocol (ARP) table may be up dated with a new IP address and MAC address pair of the defender device 230 in order to cause the data traffic to be sent to the defender device 230 instead of the target entity 130 (cf. to “victim”). For sake of clarity, the Address Resolu- tion Protocol is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer ad dress, typically a IPv4 address. This mapping is a critical function in the Inter net protocol suite. A non-limiting example of a control frame carried in the first control signal for L3 devices in order to terminate the traffic to the defender de- vice 230 is shown in the table 2 below which may be applied to at least for the following network types: L3 Physical Networks (Physical MAC and IP address es used in L3 network):

TABLE 2 (L3 CONTROL FRAME)

Hence, the control frame as schematically illustrated in the table 2 above may be delivered by the defender device 230 to all Layer 2 or Layer 3 network de vices which makes the L3 network devices aware of in the L3 network and in the L2 VLAN network aware of a location of an address transformation infor mation, i.e. MAC/IP address pair or/and CAM-table, for directing the data traffic to the defender device 230 in response to the detection of the malicious data traffic as described and when a defend against the malicious data traffic is ac tivated. In response to the step 330 in which the defender device 230 is arranged to generate the first control signal as described the malicious data traffic is caused to be directed, or forwarded, to the defender device 230 from at least one network device in question. Hence, the defender device 230 starts receiv- ing data packets of the malicious data traffic in the defined application port of the defender device 230. The defender device 230 is arranged to terminate the malicious data traffic thereto and, in that manner, to remove at least a part of the malicious data traffic from other data traffic transported over the network device 120 under monitoring. In some embodiment of the invention the termi nation of the data traffic in the defender device 230 may comprise, but is not limited to, storing the received data packets in a memory accessible to the de fender device 230 or a deletion of the received data packets from the memory.

At some point of time it may be detected in the defender device 230 that the malicious data traffic has ended or that the amount of the malicious data traffic is so small i.e. below a predetermined limit based on which it may be decided that the termination of the malicious data traffic to the defender device 230 may be discontinued. As schematically illustrated in Figure 4 a discontinuation of the termination of the malicious data traffic to the defender device 230 may be arranged by generating 410 a second control signal by the defender device 230 to one or more network devices 120 as schematically illustrated in Figure 4. The second control signal may comprise data instructing the respective net work devices 120 to return the data traffic between original IP/MAC addresses and the ports of the network devices 120. The original combination of the ad- dresses and the ports may be stored in the respective network devices, which may be taken back into use in response to a receipt of the second control sig nal. For example, the control frame in the second control signal for L2/L3 net works may be the following:

TABLE 3: L3 COMMAND TO RETURN THE DATA TRAFFIC

In response to the generation of the second control signal 410 an operation of the network devices 120 and the defender device 230 may be returned i.e. the data traffic is transported between the network devices 120 and the defender device returns to monitoring state 310. For sake of clarity it is worthwhile to mention that a respecting command to return the data traffic to normal mode may also be performed on L2 layer, but it is not necessary since the data traffic returns to normal path in all network device, such as in switches, in response to the generation of L3 command to return the data traffic. As mentioned in the foregoing description it may also occur that the target enti ty 130 may have be ended up to generating data traffic detectable to be mali cious by the defender device 230 e.g. in a situation a hijacker has got control over it. Then, the defender device 230, in order to activate the defense, may generate a first control signal comprising the control frame as disclosed in the table 4 below. The control frame may be transmitted to one or more network device 120 operating in layer L2 or L3 and belonging to the network in ques tion. The control frame as schematically illustrated in the table 4 below as a non-limiting example may be applied to at least for L3 Physical Networks (Physical MAC and IP addresses used in L3 network):

TABLE 4 (L3 CONTROL FRAME IF TARGET ENTITY IS THE ATTACKER)

In the above described situation that the target entity 130 is actually the source of an outbound malicious data traffic the data traffic may be returned to normal with the control frame as disclosed in a table 5 below. Naturally, such a second control signal is generated in response to a detection that malicious data traffic has ended, or its amount is below a predetermined limit, from the target entity 130.

TABLE 5 (L3 CONTROL FRAME FOR RETURNING DATA TRAFFIC I TARGET ENTITY IS THE ATTACKER)

According to another example embodiment the discontinuation of the termina tion of the malicious data traffic to the defender device 230 may be arranged so that the one or more network devices 120 are provided with further opera tional parameters relating to the termination of the malicious data traffic. The further operational parameters may define one or more rules to be applied by the one or more network devices 120 which define how the termination of the malicious data traffic is to be implemented. As a non-limiting example, a rule may define a time window for the termination of the malicious data traffic to the defender device 230. In other words, during the time window the one or more network devices 120 may terminate the malicious data traffic to the defender device 230 and when the time window is expired the data traffic may automati cally be returned to as it was before the state of the termination. Alternatively or in addition, the operational parameters carried in the first control signal may comprise further rules to be applied by the one or more network devices 120, such as rules affecting other protocols like VRRP, HSRP, BGP and similar pro tocols.

A further note is hereby given to a generation of the first and the second con- trol signals comprising the respective control frames. Namely, the generation of the control signals may be repeated in a number of times. Especially, the first control signal cause a termination of the data traffic to the defender device 230 may be repeated in a number of times in order to maintain a status and/or to achieve relevant network entities to comply with the defending process. A need to repeat the generation of the first control signal in a number of times may be dependent on a network structure and/or a status of the network. Cor- respondingly, the generation of the second control signal may be performed in a plurality of times in order to return the network to operate in a normal way.

Figure 5 illustrates schematically some further aspects of some example em bodiments. Namely, the defender device 230 may be communicatively con- nected to a control device 510. The control device 510 may correspond to a computing device through which an access at least to control the defender de vice 230 may be arranged to. Advantageously, the communication connection between the mentioned entities may be arranged with a secure communication connection, such as with a Virtual Private Network (VPN) tunnelling. By estab- lishing the communication connection a configuration of the defender device 230 may be adjusted as well as operations of the defender device 230 may be manually controlled. In some situations, such as if the malicious data traffic is very similar to so-called normal data traffic, a manual intervention is required e.g. through the control device 510. As discussed herein, at least some aspects of the example embodiments may be achieved with a defender device 230. Figure 6 illustrates schematically as a block diagram an example of the defender device 230 applicable in the com munication environment at least to defend against malicious data traffic. The block diagram of Figure 6 depicts some components of an apparatus that may be employed to implement the defender device 230. The apparatus may com prise a processor 610 and a memory 620. The memory 620 may store data and computer program code 625. The apparatus may further comprise com munication means 630 for wired or wireless communication with other appa ratuses, such as the at least one network device 120 under monitoring. Addi- tionally, the apparatus may comprise user I/O (input/output) components 640 that may be arranged, together with the processor 610 and a portion of the computer program code 625, to provide the user interface for receiving input from a user and/or providing output to the user. In particular, the user I/O com ponents 640 may include user input means, such as one or more keys or but- tons, a keyboard, a touchscreen or a touchpad, etc. The user I/O components 640 may include output means, such as a display or a touchscreen. In some example embodiments the user I/O components 640 may correspond an ex ternal entity, such as a control device 510 as depicted in Figure 5. The compo nents of the apparatus may be communicatively connected to each other via a communication bus that enables transfer of data and control information be tween the components.

The memory 620 and a portion of the computer program code 625 stored therein may be further arranged, with the processor 610, to cause the appa ratus, i.e. the defender device 230, to perform a method according to an ex- ample embodiment as described in the foregoing description. The processor 610 may be configured to read from and write to the memory 620. Although the processor 610 is depicted as a respective single component, it may be im plemented as respective one or more separate processing components. Simi larly, although the memory 620 is depicted as a respective single component, it may be implemented as respective one or more separate components, some or all of which may be integrated/removable and/or may provide permanent / semi-permanent / dynamic / cached storage.

The computer program code 625 may comprise computer-executable instruc tions that implement functions that correspond to steps of the method as will be described when loaded into the processor 610. As an example, the com puter program code 625 may include a computer program consisting of one or more sequences of one or more instructions. The processor 610 is able to load and execute the computer program by reading the one or more sequences of one or more instructions included therein from the memory 620. The one or more sequences of one or more instructions may be configured to, when exe cuted by the processor 610, cause the apparatus to perform the method ac cording to the example embodiment. Hence, the apparatus may comprise at least one processor 610 and at least one memory 620 including the computer program code 625 for one or more programs, the at least one memory 620 and the computer pro-gram code 625 configured to, with the at least one processor 610, cause the apparatus to perform the method described in the foregoing description.

The computer program code 625 may be provided e.g. a computer program product comprising at least one computer-readable non-transitory medium having the computer program code 625 stored thereon, which computer pro gram code 625, when executed by the processor 610, causes the apparatus to perform the method according to the example embodiment. The computer- readable non-transitory medium may comprise a memory device or a record medium such as a CD-ROM, a DVD, a Blu-ray disc or another article of manu- facture that tangibly embodies the computer program. As another example, the computer program may be provided as a signal configured to reliably transfer the computer program.

Still further, the computer program code 625 may comprise a proprietary appli cation, such as computer program code for network monitoring and defending. The proprietary application may be a client application of a service whose server application is running on a server apparatus of the system. The proprie tary application may detect an anomaly within the data traffic, identify the mali cious data traffic that the anomaly is related to, and automatically generate a service task in order to take actions with respect to the anomaly as described. For sake of clarity, the implementation of the defender device 230 may be a dedicated standalone device to perform the operation as described above, but it may also be arranged through a distributed solution wherein computing for performing the method as described is shared among a plurality of computing devices. Some aspects of the present invention may relate to a system comprising a plurality of network devices communicatively connected to each other and a defender device as described in the foregoing description. In the foregoing description it is referred that the monitoring is performed for detecting malicious data traffic. The term malicious data traffic shall be under stood in a broad manner to cover any data traffic defined to be monitored and detected by the defender device 230. Moreover, the data traffic under monitor- ing and detection may be generated in a context of Denial of Service (DoS) at tack or in any other context.

A further note with respect to the invention is that the technique applied in the defender device 230 is suitable for terminating even simultaneously and any direction a plurality of malicious incoming or outgoing data traffic connections transported through the network device 120 under monitoring. In some embod iments the defender device 230 may be arranged to monitor a plurality of net work devices 120 concurrently and to operate in the described manner if mali cious data traffic is detected. As discussed, the monitored network devices 120 may be implemented in either physical or virtual network environments to work with the defender device 230. Moreover and thus, the defender device 230 is operable in the virtual machine (VM) environment with the virtual device 120.

Moreover, in the foregoing description at least some aspects of the invention as defined in the appended claims are described in such an environment that a defender device 230 is defined to be hidden in the communication path. How- ever, the mechanism in accordance with the present invention may also be applied to even if the defender device 230 is visible in the communication path, i.e. it has a network address, or MAC address, complying with other addresses in the communication path. However, the present invention operates in a more optimal manner if the defender device 230 is not, by default, visible in the communication path, since then the defender device 230 cannot be directly at tacked by 3 rd parties. Besides, even if the defender device 230 is set visible in the communication network, the visibility through applied MAC/IP addresses do not direct to the defender device 230 itself, because the applied MAC/IP addresses are addresses of other network devices, as derivable from the ex- amples of the L2/L3 address tables in the foregoing description. Hence, it means that the defender device 230 itself actually remains invisible in the communication path.

For sake of clarity it is worthwhile to mention that in the foregoing description it is indicated that the defender device 230 is arranged to monitor the network device 120. In accordance with the present invention the term “network device 120” shall be understood in a broad manner to cover at least the following: at least one network device arranged to operate on Layer 2 (OSI model) and im plemented either as a physical device or virtually; at least one network device arranged to operate on Layer 3 (OSI model) and implemented either as a physical device or virtually; at least one connectivity network implemented ei ther as a physical network or virtual network; physically implemented commu nication network arranged to operate on Layer 2 (OSI model); physically im plemented communication network arranged to operate on Layer 3 (OSI mod el). The specific examples provided in the description given above should not be construed as limiting the applicability and/or the interpretation of the appended claims. Lists and groups of examples provided in the description given above are not exhaustive unless otherwise explicitly stated.