WO2008135822A2 - System and method for intrusion detection for communication networks utilizing signaling compression - Google Patents

System and method for intrusion detection for communication networks utilizing signaling compression Download PDF

Info

Publication number
WO2008135822A2
WO2008135822A2 PCT/IB2008/001034 IB2008001034W WO2008135822A2 WO 2008135822 A2 WO2008135822 A2 WO 2008135822A2 IB 2008001034 W IB2008001034 W IB 2008001034W WO 2008135822 A2 WO2008135822 A2 WO 2008135822A2
Authority
WO
WIPO (PCT)
Prior art keywords
intrusive
instructions
input vector
type
bytecode
Prior art date
Application number
PCT/IB2008/001034
Other languages
French (fr)
Other versions
WO2008135822A3 (en
Inventor
Jouni MÄENPÄÄ
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of WO2008135822A2 publication Critical patent/WO2008135822A2/en
Publication of WO2008135822A3 publication Critical patent/WO2008135822A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/04Protocols for data compression, e.g. ROHC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates generally to communications networks, and in particular, to a system and method for intrusion detection in mobile telecommunication networks that employ signaling compression (SigComp) to compress application-layer signaling messages.
  • SigComp signaling compression
  • SigComp Signaling Compression
  • IETF Internet Engineering Task Force
  • RRC Request for Comments
  • SigComp is used to compress application-layer signaling messages, such as the messages of the Session Initiation Protocol (SIP).
  • SIP Session Initiation Protocol
  • IMS IP Multimedia Subsystem
  • SigComp provides a framework for the compression of application-layer signaling between two network elements.
  • SigComp is used to compress SIP signaling messages between mobile terminals and the Proxy Call Session Control Function (P-CSCF) node, which is the first contact point for the mobile terminal within the IMS.
  • P-CSCF Proxy Call Session Control Function
  • a compression scheme like SigComp is needed because the large size of SIP signaling messages increases the transfer delay on the radio interface. This increased transfer delay results in long call setup delays. Through compression, the size of SIP signaling messages can be reduced and thus the call setup time decreased.
  • the central piece of the SigComp architecture is a Universal
  • UDVM Decompressor Virtual Machine
  • SigComp can support a wide range of compression algorithms instead of dictating a single algorithm to be supported by all SigComp endpoints.
  • mobile terminal manufacturers can freely select the SigComp decompression algorithm they desire to use.
  • the decompression algorithm is implemented as a small computer program written in UDVM assembly language. This program is then uploaded to the network node responsible for the decompression of SigComp messages. This node executes the program in the UDVM in order to decompress the SigComp messages sent by the mobile terminal.
  • a UDVM cycle is a measure of the amount of CPU power required to execute a UDVM instruction.
  • a UDVM cycle limit is used to restrict the number of UDVM cycles that can be used to decompress each bit in a SigComp message. The amount of cycles a bytecode (i.e., a compiled UDVM assembly language program) uses must be monitored because malicious users can send bytecodes containing looping code.
  • the cycle limit only reduces the amount of damage that can be caused by intruders, but does not eliminate the problem.
  • DoS simulated Denial of Service
  • the DoS attacks utilized looping code in the headers of SigComp messages, which carried SIP INVITE messages in the payload of the messages.
  • a minimum value was utilized for the parameter cycles jper bit. It was found that the looping code utilized, on average, 274 milliseconds of CPU time per message before running out of UDVM cycles. In addition, a rate of eight or more messages per second was sufficient to place a load on the CPU of one hundred percent (i.e., consume all capacity of the P-CSCF).
  • DoS attacks utilizing a larger value for the parameter cycles_per_bit than the minimum, and utilizing a longer SIP message in the payload of the SigComp messages, would have been even more successful.
  • the present invention provides a system and method for intrusion detection in mobile telecommunication networks that employ SigComp to compress application-layer signaling messages.
  • the invention provides novel protection mechanisms to solve the problems of the prior art.
  • the invention is directed to an Intrusion Detection System (IDS) for SigComp that analyzes instruction counts in UDVM bytecodes included in SigComp messages before the bytecodes are executed on the UDVM, and classifies the bytecodes as either intrusive (i.e., malicious) or non- intrusive (i.e., normal). If the bytecode is classified as intrusive, the IDS may produce an alarm, which can be used by an upper-layer application to, for example, reject the SigComp message. Since the invention detects intrusive UDVM bytecodes before they are executed on the UDVM, system resources are saved as attacks are detected at an early stage.
  • IDS Intrusion Detection System
  • the present invention is directed to a method of detecting intrusive bytecode in SigComp messages in a mobile telecommunication network.
  • the method includes the steps of receiving a SigComp message having bytecode in a header portion; collecting instruction counts from the bytecode to form an input vector; classifying the input vector as intrusive or non-intrusive based on the instruction counts; rejecting the SigComp message if the input vector is classified as intrusive; and forwarding the SigComp message to a decompression node if the input vector is classified as non-intrusive.
  • the present invention is directed to a classifying node for classifying bytecode in a received SigComp message as intrusive or non-intrusive.
  • the classifying node includes means for receiving from a preprocessor module, an input vector comprising a count of each type of instruction contained in the received bytecode; a database for storing data indicating the number and type of instructions utilized in non-intrusive bytecode; and means for determining whether the input vector is intrusive or non-intrusive by comparing the input vector with the stored data indicating the number and type of instructions utilized in non-intrusive bytecode.
  • the input vector is classified as intrusive if the number and type of instructions in the input vector differ by at least a predefined amount from the number and type of instructions utilized in non-intrusive bytecode.
  • the input vector is classified as non-intrusive if the number and type of instructions in the input vector differ by less than the predefined amount from the number and type of instructions utilized in non- intrusive bytecode.
  • the classifying node then sends an indication of whether the input vector is intrusive or non-intrusive.
  • the present invention provides effective defense against DoS attacks. While the UDVM cycle limit proposed in RFC 3320 can detect malicious bytecodes after they have been executed on the UDVM and have reached the cycle limit, the present invention offers protection to network nodes by detecting malicious bytecodes before they are executed on the UDVM. Thus the malicious bytecodes are detected before they can consume computational resources on the target node.
  • FIG. 1 is a simplified block diagram of an MLP network suitable for implementing the Intrusion Detection System (IDS) of the present invention
  • FIG. 2 is a simplified functional block diagram of an exemplary embodiment of the IDS of the present invention
  • FIG. 3 is a flow chart illustrating the steps of an exemplary embodiment of the method of the present invention.
  • FIG. 4 is a simplified functional block diagram illustrating the functions performed by the Neural Network Classifier in one embodiment of the present invention.
  • the Intrusion Detection System (IDS) of the present invention is implemented utilizing a neural network.
  • the neural network may be, for example, a Multi-Layer Perceptron (MLP) network, as described by S. Haykin in "Neural Networks - A Comprehension Foundation," 2 nd Edition, 1999 (hereafter referred to as "Neural Networks").
  • MLP Multi-Layer Perceptron
  • other types of neural networks may be utilized as well.
  • FIG. 1 is a simplified block diagram of an MLP network 10 suitable for implementing the IDS of the present invention.
  • the MLP network is used to analyze instruction counts in UDVM bytecodes carried in SigComp messages.
  • the MLP network has an input layer 11 , one hidden layer 12, and an output layer 13.
  • the input layer of the MLP network has one neuron 14 for each instruction in the UDVM instruction set, having thus a total of thirty-six neurons, as illustrated in FIG. 1.
  • the UDVM bytecode is in binary format, and before the UDVM bytecode is fed to the MLP network, it is preprocessed by a Data Preprocessor module 15.
  • the Data Pre-Processor module calculates the number of times each instruction of the UDVM instruction set occurs in the UDVM bytecode.
  • an input vector 16 is created.
  • the input vector has thirty-six entries, one for each instruction in the UDVM instruction set. Each position in the vector corresponds to one instruction, and the value of the position is the number of occurrences of that instruction in the bytecode being analyzed.
  • the output signal from the MLP network is read at output neurons 17 and 18.
  • the MLP network may be trained by utilizing any suitable neural network training algorithm. For example, one embodiment of the present invention utilizes the well known error back-propagation algorithm, also described in "Neural Networks".
  • the training set consists of non-intrusive SigComp bytecodes of different compression algorithms. It is important to use bytecodes of a large number of compression algorithms, and also many variations of the same algorithm. Examples of bytecodes can be found from the IETF RFC 4464.
  • the weights of the MLP network are fixed once the training has been completed. The training must be performed before the system is made operational.
  • the neural network 10 learns the profile (in terms of instruction counts) of normal bytecodes.
  • the neural network can detect the deviation from the normal bytecode structure because intrusive bytecodes use a different number and set of instructions than do non-intrusive bytecodes.
  • the output signal from the MLP network 10 provides output values between 0.0 or 1.0 at each of the output neurons 17 and 18 to indicate whether the input vector is classified as intrusive or non-intrusive.
  • the output of the first output neuron may indicate how probable it is that the input vector is intrusive
  • the output of the second output neuron may indicate how probable it is that the input vector is non- intrusive. If the network is absolutely certain that the input vector is intrusive, the output of the first neuron is 1.0, and the output of the second neuron is 0.0. If the network is absolutely certain that the input vector is non-intrusive, the output of the first neuron is 0.0 and the output of the second neuron is 1.0. However, if the network is only moderately certain that the input is intrusive, the output values might be, for example, values such as 0.75 and 0.25.
  • a predefined value such as 0.5 may be utilized as a threshold value for classifying input vectors as intrusive or non-intrusive. For example, if the output of the first neuron is larger than 0.5 (and the output of the second neuron is less than 0.5), the input vector is considered intrusive. Conversely, if the output of the first neuron is less than 0.5 (and the output of the second neuron is larger than 0.5), the input vector is considered non-intrusive. But selecting the threshold value, the user can control the level at which input vectors are classified as intrusive or non-intrusive.
  • FIG. 2 is a simplified functional block diagram of an exemplary embodiment of the IDS 20 of the present invention.
  • the IDS includes a Data Acquisition module 21 , the Data Pre-Processor module 15, a Neural Network Classifier module 10, a Post-Processor module 22, and a Training module 23.
  • the Data Acquisition module 21 receives IP packets 24 carrying the SigComp messages 25 from a network 26, and hands the messages to the Data Pre- Processor module 15.
  • the Data Pre-Processor module collects the instruction counts in the UDVM bytecode and creates the input vector 16 to the Neural Network Classifier module 10, which may be implemented with the MLP network shown in FIG. 1.
  • the Neural Network Classifier module analyzes the input vector and classifies the traffic as either intrusive (attack) or non-intrusive (normal) and hands a classification result 27 to the Post-Processor module 22. As noted above, the classification of the input vector is performed by comparing the number and type of instructions collected from the SigComp bytecode with the number and type of instructions utilized in non-intrusive bytecode.
  • the Training module 23 is used during the training phase to train the Neural Network Classifier module 10 to recognize intrusive input vectors and non-intrusive input vectors.
  • the Training Module implements the error back-propagation algorithm.
  • the Neural Network Classifier module is trained to recognize predefined sets of instructions associated with non-intrusive SigComp bytecodes of different compression algorithms and known variations of the compression algorithms.
  • the Neural Network Classifier module may classify the input vector as intrusive if the number and type of instructions collected from the bytecode are different from the number and type of instructions learned in training.
  • predefined criteria may be established defining the level of differences in the number and type of instructions required in order to result in a determination that the input vector is intrusive. If the number and type of instructions collected from the bytecode are the same as the number and type of instructions learned in training (or the differences are less than the predefined criteria), the Neural Network Classifier module may classify the input vector as non-intrusive.
  • the Post-Processor module 22 Based on the classification result of the Neural Network Classifier module, the Post-Processor module 22 generates alarms and reports 28 for an upper layer application 29 or writes to the system's event log.
  • FIG. 3 is a flow chart illustrating the steps of an exemplary embodiment of the method of the present invention.
  • a Data Pre-Processor module is positioned to preprocess SigComp messages addressed to a UDVM node and generate corresponding input vectors.
  • an MLP network is configured to receive the input vectors and to classify the input vectors as intrusive or non- intrusive.
  • the MLP network is trained using normal (i.e., non- intrusive) UDVM bytecodes to learns the profile (in terms of instruction counts) of normal bytecodes.
  • IP packets are received carrying the SigComp messages and are forwarded to the Data Pre-Processor module.
  • the Data Pre-Processor module collects the instruction counts in the UDVM bytecode and sends an input vector to the Neural Network Classifier module.
  • the Neural Network Classifier module analyzes the input vector and classifies the vector as either intrusive (attack) or non-intrusive (normal).
  • the upper-layer application may reject the SigComp message without the message ever reaching the UDVM node.
  • FIG. 4 is a simplified functional block diagram illustrating the functions performed by the Neural Network Classifier 10 in one embodiment of the present invention.
  • the input layer 11 of the classifier functions as a receiver for receiving the input vector 16 formed by the pre-processor module 15 from the received SigComp message.
  • the input vector receiver passes the instruction count received in the input vector to the hidden layer 12, which functions as a comparison unit.
  • a training module interface 42 facilitates communications between the Training Module 23 and a network profile of non-intrusive instruction counts 43 (shown in phantom) maintained by the neural network.
  • the profile is shown in phantom because although it acts as a store of knowledge, it is not implemented as a separately identifiable database.
  • the connections and connection weights in the neural network store the instruction count profile of non-intrusive bytecodes (thus acting as a kind of a database).
  • the weights of connections between the hidden layer and the output layer of the neural network are adjusted until the network correctly classifies all the input vectors (containing non-intrusive bytecodes) as non- intrusive.
  • the neural network no longer needs access to the original training data, since the connections and connection weights between the neurons in the network contain all the information needed to classify bytecodes as intrusive or non-intrusive.
  • the comparison unit 12 compares the received instruction count with a non-intrusive instruction count retrieved from the profile of non-intrusive instruction counts 43.
  • the comparison unit passes the result, indicating whether the input vector is intrusive or non-intrusive, to the output layer 13, which functions as a comparison results transmitter.
  • the output signal 17/18 is then sent to the Post-Processor module 22.
  • the IDS of the present invention offers protection to network nodes by detecting malicious bytecodes before the bytecodes are executed on the UDVM and before they can consume UDVM computational resources.
  • the Neural Network Classifier module 10 is able to perform the intrusive/non-intrusive classification much more rapidly than the prior art method of executing the bytecode until the UDVM cycle limit is reached.
  • the IDS operates on the bytecodes in the SigComp message header, there is no need to decompress and inspect the payload of SigComp messages (which contains the compressed content) to determine whether the bytecode is malicious. This is beneficial, since the bytecodes are very short compared to the payloads of SigComp messages.

Abstract

An Intrusion Detection System, IDS, for detecting intrusive bytecodes in Signaling Compression, SigComp, messages before the bytecodes are executed on a Universal Decompressor Virtual Machine, UDVM. The IDS analyzes instruction counts in bytecodes included in received SigComp message headers and compares them with known instruction counts associated with non-intrusive bytecodes. Based on the comparisons, the IDS classifies the received bytecodes as either intrusive, i.e., malicious, or non-intrusive, i.e., normal. If the bytecode is classified as intrusive, the IDS may produce an alarm, which can be used by an upper-layer application to reject the SigComp message. Since the invention detects intrusive UDVM bytecodes before they are executed on the UDVM, system resources are saved as attacks are detected at an early stage.

Description

SYSTEM AND METHOD FOR INTRUSION DETECTION FOR COMMUNICATION NETWORKS UTILIZING SIGNALING COMPRESSION
TECHNICAL FIELD The present invention relates generally to communications networks, and in particular, to a system and method for intrusion detection in mobile telecommunication networks that employ signaling compression (SigComp) to compress application-layer signaling messages.
BACKGROUND
Signaling Compression (SigComp) is a protocol specified by the Internet Engineering Task Force (IETF) in Request for Comments (RFC) 3320. SigComp is used to compress application-layer signaling messages, such as the messages of the Session Initiation Protocol (SIP). SIP, in turn, is used as a call control protocol in the IP Multimedia Subsystem (IMS) specified by the Third Generation Partnership Project (3GPP). SigComp provides a framework for the compression of application-layer signaling between two network elements. In the IMS, SigComp is used to compress SIP signaling messages between mobile terminals and the Proxy Call Session Control Function (P-CSCF) node, which is the first contact point for the mobile terminal within the IMS. A compression scheme like SigComp is needed because the large size of SIP signaling messages increases the transfer delay on the radio interface. This increased transfer delay results in long call setup delays. Through compression, the size of SIP signaling messages can be reduced and thus the call setup time decreased. The central piece of the SigComp architecture is a Universal
Decompressor Virtual Machine (UDVM), which is a virtual machine optimized for running decompression algorithms. With the UDVM, SigComp can support a wide range of compression algorithms instead of dictating a single algorithm to be supported by all SigComp endpoints. Thus, mobile terminal manufacturers can freely select the SigComp decompression algorithm they desire to use. The decompression algorithm is implemented as a small computer program written in UDVM assembly language. This program is then uploaded to the network node responsible for the decompression of SigComp messages. This node executes the program in the UDVM in order to decompress the SigComp messages sent by the mobile terminal. The fact that user-provided programs are uploaded to the P-CSCF (or any other network node performing decompression) and executed there is a considerable security risk. Therefore, to ensure that the decompression of a single message cannot consume excessive processing resources, the IETF introduced the concept of UDVM cycles in RFC 3320. A UDVM cycle is a measure of the amount of CPU power required to execute a UDVM instruction. A UDVM cycle limit is used to restrict the number of UDVM cycles that can be used to decompress each bit in a SigComp message. The amount of cycles a bytecode (i.e., a compiled UDVM assembly language program) uses must be monitored because malicious users can send bytecodes containing looping code.
The cycle limit, however, only reduces the amount of damage that can be caused by intruders, but does not eliminate the problem. For example, simulated Denial of Service (DoS) attacks have been run successfully against a typical SigComp implementation acting as a P-CSCF. The DoS attacks utilized looping code in the headers of SigComp messages, which carried SIP INVITE messages in the payload of the messages. A minimum value was utilized for the parameter cycles jper bit. It was found that the looping code utilized, on average, 274 milliseconds of CPU time per message before running out of UDVM cycles. In addition, a rate of eight or more messages per second was sufficient to place a load on the CPU of one hundred percent (i.e., consume all capacity of the P-CSCF). DoS attacks utilizing a larger value for the parameter cycles_per_bit than the minimum, and utilizing a longer SIP message in the payload of the SigComp messages, would have been even more successful. SUMMARY
The present invention provides a system and method for intrusion detection in mobile telecommunication networks that employ SigComp to compress application-layer signaling messages. The invention provides novel protection mechanisms to solve the problems of the prior art.
In one embodiment, the invention is directed to an Intrusion Detection System (IDS) for SigComp that analyzes instruction counts in UDVM bytecodes included in SigComp messages before the bytecodes are executed on the UDVM, and classifies the bytecodes as either intrusive (i.e., malicious) or non- intrusive (i.e., normal). If the bytecode is classified as intrusive, the IDS may produce an alarm, which can be used by an upper-layer application to, for example, reject the SigComp message. Since the invention detects intrusive UDVM bytecodes before they are executed on the UDVM, system resources are saved as attacks are detected at an early stage. In another embodiment, the present invention is directed to a method of detecting intrusive bytecode in SigComp messages in a mobile telecommunication network. The method includes the steps of receiving a SigComp message having bytecode in a header portion; collecting instruction counts from the bytecode to form an input vector; classifying the input vector as intrusive or non-intrusive based on the instruction counts; rejecting the SigComp message if the input vector is classified as intrusive; and forwarding the SigComp message to a decompression node if the input vector is classified as non-intrusive.
In another embodiment, the present invention is directed to a classifying node for classifying bytecode in a received SigComp message as intrusive or non-intrusive. The classifying node includes means for receiving from a preprocessor module, an input vector comprising a count of each type of instruction contained in the received bytecode; a database for storing data indicating the number and type of instructions utilized in non-intrusive bytecode; and means for determining whether the input vector is intrusive or non-intrusive by comparing the input vector with the stored data indicating the number and type of instructions utilized in non-intrusive bytecode. The input vector is classified as intrusive if the number and type of instructions in the input vector differ by at least a predefined amount from the number and type of instructions utilized in non-intrusive bytecode. The input vector is classified as non-intrusive if the number and type of instructions in the input vector differ by less than the predefined amount from the number and type of instructions utilized in non- intrusive bytecode. The classifying node then sends an indication of whether the input vector is intrusive or non-intrusive.
The present invention provides effective defense against DoS attacks. While the UDVM cycle limit proposed in RFC 3320 can detect malicious bytecodes after they have been executed on the UDVM and have reached the cycle limit, the present invention offers protection to network nodes by detecting malicious bytecodes before they are executed on the UDVM. Thus the malicious bytecodes are detected before they can consume computational resources on the target node.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a simplified block diagram of an MLP network suitable for implementing the Intrusion Detection System (IDS) of the present invention; FIG. 2 is a simplified functional block diagram of an exemplary embodiment of the IDS of the present invention;
FIG. 3 is a flow chart illustrating the steps of an exemplary embodiment of the method of the present invention; and
FIG. 4 is a simplified functional block diagram illustrating the functions performed by the Neural Network Classifier in one embodiment of the present invention.
DETAILED DESCRIPTION
In one exemplary embodiment, the Intrusion Detection System (IDS) of the present invention is implemented utilizing a neural network. The neural network may be, for example, a Multi-Layer Perceptron (MLP) network, as described by S. Haykin in "Neural Networks - A Comprehension Foundation," 2nd Edition, 1999 (hereafter referred to as "Neural Networks"). However, other types of neural networks may be utilized as well.
FIG. 1 is a simplified block diagram of an MLP network 10 suitable for implementing the IDS of the present invention. The MLP network is used to analyze instruction counts in UDVM bytecodes carried in SigComp messages. The MLP network has an input layer 11 , one hidden layer 12, and an output layer 13. The input layer of the MLP network has one neuron 14 for each instruction in the UDVM instruction set, having thus a total of thirty-six neurons, as illustrated in FIG. 1. The UDVM bytecode is in binary format, and before the UDVM bytecode is fed to the MLP network, it is preprocessed by a Data Preprocessor module 15. The Data Pre-Processor module calculates the number of times each instruction of the UDVM instruction set occurs in the UDVM bytecode. Based on these statistics, an input vector 16 is created. The input vector has thirty-six entries, one for each instruction in the UDVM instruction set. Each position in the vector corresponds to one instruction, and the value of the position is the number of occurrences of that instruction in the bytecode being analyzed. The output signal from the MLP network is read at output neurons 17 and 18. The MLP network may be trained by utilizing any suitable neural network training algorithm. For example, one embodiment of the present invention utilizes the well known error back-propagation algorithm, also described in "Neural Networks". The training set consists of non-intrusive SigComp bytecodes of different compression algorithms. It is important to use bytecodes of a large number of compression algorithms, and also many variations of the same algorithm. Examples of bytecodes can be found from the IETF RFC 4464. The weights of the MLP network are fixed once the training has been completed. The training must be performed before the system is made operational.
Since the MLP network 10 is trained using normal (i.e., non-intrusive) UDVM bytecodes, the neural network learns the profile (in terms of instruction counts) of normal bytecodes. When an intrusive bytecode is presented to the IDS, the neural network can detect the deviation from the normal bytecode structure because intrusive bytecodes use a different number and set of instructions than do non-intrusive bytecodes. The output signal from the MLP network 10 provides output values between 0.0 or 1.0 at each of the output neurons 17 and 18 to indicate whether the input vector is classified as intrusive or non-intrusive. For example, the output of the first output neuron may indicate how probable it is that the input vector is intrusive, and the output of the second output neuron may indicate how probable it is that the input vector is non- intrusive. If the network is absolutely certain that the input vector is intrusive, the output of the first neuron is 1.0, and the output of the second neuron is 0.0. If the network is absolutely certain that the input vector is non-intrusive, the output of the first neuron is 0.0 and the output of the second neuron is 1.0. However, if the network is only moderately certain that the input is intrusive, the output values might be, for example, values such as 0.75 and 0.25. A predefined value such as 0.5 may be utilized as a threshold value for classifying input vectors as intrusive or non-intrusive. For example, if the output of the first neuron is larger than 0.5 (and the output of the second neuron is less than 0.5), the input vector is considered intrusive. Conversely, if the output of the first neuron is less than 0.5 (and the output of the second neuron is larger than 0.5), the input vector is considered non-intrusive. But selecting the threshold value, the user can control the level at which input vectors are classified as intrusive or non-intrusive.
FIG. 2 is a simplified functional block diagram of an exemplary embodiment of the IDS 20 of the present invention. The IDS includes a Data Acquisition module 21 , the Data Pre-Processor module 15, a Neural Network Classifier module 10, a Post-Processor module 22, and a Training module 23. The Data Acquisition module 21 receives IP packets 24 carrying the SigComp messages 25 from a network 26, and hands the messages to the Data Pre- Processor module 15. The Data Pre-Processor module collects the instruction counts in the UDVM bytecode and creates the input vector 16 to the Neural Network Classifier module 10, which may be implemented with the MLP network shown in FIG. 1.
The Neural Network Classifier module analyzes the input vector and classifies the traffic as either intrusive (attack) or non-intrusive (normal) and hands a classification result 27 to the Post-Processor module 22. As noted above, the classification of the input vector is performed by comparing the number and type of instructions collected from the SigComp bytecode with the number and type of instructions utilized in non-intrusive bytecode. The Training module 23 is used during the training phase to train the Neural Network Classifier module 10 to recognize intrusive input vectors and non-intrusive input vectors. The Training Module implements the error back-propagation algorithm. The Neural Network Classifier module is trained to recognize predefined sets of instructions associated with non-intrusive SigComp bytecodes of different compression algorithms and known variations of the compression algorithms. The Neural Network Classifier module may classify the input vector as intrusive if the number and type of instructions collected from the bytecode are different from the number and type of instructions learned in training. Alternatively, predefined criteria may be established defining the level of differences in the number and type of instructions required in order to result in a determination that the input vector is intrusive. If the number and type of instructions collected from the bytecode are the same as the number and type of instructions learned in training (or the differences are less than the predefined criteria), the Neural Network Classifier module may classify the input vector as non-intrusive.
Based on the classification result of the Neural Network Classifier module, the Post-Processor module 22 generates alarms and reports 28 for an upper layer application 29 or writes to the system's event log.
FIG. 3 is a flow chart illustrating the steps of an exemplary embodiment of the method of the present invention. At step 31 , a Data Pre-Processor module is positioned to preprocess SigComp messages addressed to a UDVM node and generate corresponding input vectors. At step 32, an MLP network is configured to receive the input vectors and to classify the input vectors as intrusive or non- intrusive. At step 33, the MLP network is trained using normal (i.e., non- intrusive) UDVM bytecodes to learns the profile (in terms of instruction counts) of normal bytecodes. At step 34, IP packets are received carrying the SigComp messages and are forwarded to the Data Pre-Processor module. At step 35, the Data Pre-Processor module collects the instruction counts in the UDVM bytecode and sends an input vector to the Neural Network Classifier module. At step 36, the Neural Network Classifier module analyzes the input vector and classifies the vector as either intrusive (attack) or non-intrusive (normal). At step 37, it is determined whether the input vector is classified as intrusive. If not, the method moves to step 38, where the SigComp message is passed to the UDVM node for decompression and further processing. However, if the vector is classified as intrusive, the method moves to step 39, where an alarm or report may be sent to an upper-layer application. At step 40, the upper-layer application may reject the SigComp message without the message ever reaching the UDVM node.
FIG. 4 is a simplified functional block diagram illustrating the functions performed by the Neural Network Classifier 10 in one embodiment of the present invention. The input layer 11 of the classifier functions as a receiver for receiving the input vector 16 formed by the pre-processor module 15 from the received SigComp message. The input vector receiver passes the instruction count received in the input vector to the hidden layer 12, which functions as a comparison unit. A training module interface 42 facilitates communications between the Training Module 23 and a network profile of non-intrusive instruction counts 43 (shown in phantom) maintained by the neural network. The profile is shown in phantom because although it acts as a store of knowledge, it is not implemented as a separately identifiable database. The connections and connection weights in the neural network store the instruction count profile of non-intrusive bytecodes (thus acting as a kind of a database). During the training phase, the weights of connections between the hidden layer and the output layer of the neural network are adjusted until the network correctly classifies all the input vectors (containing non-intrusive bytecodes) as non- intrusive. When the training has been completed, the neural network no longer needs access to the original training data, since the connections and connection weights between the neurons in the network contain all the information needed to classify bytecodes as intrusive or non-intrusive. The comparison unit 12 compares the received instruction count with a non-intrusive instruction count retrieved from the profile of non-intrusive instruction counts 43. The comparison unit passes the result, indicating whether the input vector is intrusive or non-intrusive, to the output layer 13, which functions as a comparison results transmitter. The output signal 17/18 is then sent to the Post-Processor module 22.
Thus, the IDS of the present invention offers protection to network nodes by detecting malicious bytecodes before the bytecodes are executed on the UDVM and before they can consume UDVM computational resources. In addition, the Neural Network Classifier module 10 is able to perform the intrusive/non-intrusive classification much more rapidly than the prior art method of executing the bytecode until the UDVM cycle limit is reached. Furthermore, since the IDS operates on the bytecodes in the SigComp message header, there is no need to decompress and inspect the payload of SigComp messages (which contains the compressed content) to determine whether the bytecode is malicious. This is beneficial, since the bytecodes are very short compared to the payloads of SigComp messages.
The present invention may of course, be carried out in other specific ways than those herein set forth without departing from the essential characteristics of the invention. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive and all changes coming within the meaning and equivalency range of the appended claims are intended to be embraced therein.

Claims

1. A method of detecting intrusive bytecode in signaling compression (SigComp) messages in a mobile telecommunication network, said method comprising the steps of: receiving a SigComp message having bytecode in a header portion; collecting instruction counts from the bytecode to form an input vector; classifying the input vector as intrusive or non-intrusive based on the instruction counts; rejecting the SigComp message if the input vector is classified as intrusive; and forwarding the SigComp message to a decompression node if the input vector is classified as non-intrusive.
2. The method as recited in claim 1 , further comprising training a classifying module to recognize intrusive and non-intrusive input vectors prior to receiving the SigComp message.
3. The method as recited in claim 2, wherein the training step includes training the classifying module utilizing an error back-propagation algorithm.
4. The method as recited in claim 3, wherein the training step includes training the classifying module to recognize as non-intrusive, sets of instructions associated with non-intrusive SigComp bytecodes of a plurality of different compression algorithms and known variations of the compression algorithms.
5. The method as recited in claim 4, wherein the classifying step includes: comparing the number and type of instructions collected from the bytecode with the number and type of instructions learned in the training step; classifying the input vector as intrusive if the number and type of instructions collected from the bytecode are different from the number and type of instructions learned in the training step; and classifying the input vector as non-intrusive if the number and type of instructions collected from the bytecode are the same as the number and type of instructions learned in the training step.
6. The method as recited in claim 4, wherein the classifying step includes: comparing the number and type of instructions collected from the bytecode with the number and type of instructions learned in the training step; classifying the input vector as intrusive if the number and type of instructions collected from the bytecode differ by more than predefined amounts from the number and type of instructions learned in the training step; and classifying the input vector as non-intrusive if the number and type of instructions collected from the bytecode do not differ by more than the predefined amounts from the number and type of instructions learned in the training step.
7. The method as recited in claim 1 , wherein the rejecting step includes: sending an alarm to an upper-layer application upon determining that the input vector is intrusive; and rejecting the SigComp message by the upper-layer application.
8. The method as recited in claim 7, further comprising writing an entry to an event log upon determining that the input vector is intrusive.
9. The method as recited in claim 1, wherein the forwarding step includes forwarding the SigComp message to a Universal Decompressor Virtual Machine (UDVM) for decompressing of the SigComp message if the input vector is classified as non-intrusive.
10. A system for detecting intrusive bytecode in signaling compression (SigComp) messages in a mobile telecommunication network, said system comprising: a data acquisition module for receiving packets containing a SigComp message having bytecode in a header portion; a data pre-processor for collecting instruction counts from the bytecode to form an input vector; a classifying module for classifying the input vector as intrusive or non- intrusive based on the instruction counts; a post processor for rejecting the SigComp message if the input vector is classified as intrusive, and for forwarding the SigComp message to a decompression node if the input vector is classified as non-intrusive.
11. The system as recited in claim 10, further comprising means for utilizing an error back-propagation algorithm to train the classifying module to recognize intrusive and non-intrusive input vectors, wherein the classifying module is trained to recognize as non-intrusive, sets of instructions associated with non-intrusive SigComp bytecodes of a plurality of different compression algorithms and known variations of the compression algorithms.
12. The system as recited in claim 11 , wherein the classifying module includes: means for comparing the number and type of instructions collected from the bytecode with the number and type of instructions learned during training; classifying means for classifying the input vector as intrusive if the number and type of instructions collected from the bytecode are different from the number and type of instructions learned during training, and for classifying the input vector as non-intrusive if the number and type of instructions collected from the bytecode are the same as the number and type of instructions learned during training.
13. The system as recited in claim 11 , wherein the classifying module includes: means for comparing the number and type of instructions collected from the bytecode with the number and type of instructions learned during training; classifying means for classifying the input vector as intrusive if the number and type of instructions collected from the bytecode differ by more than predefined amounts from the number and type of instructions learned during training, and for classifying the input vector as non-intrusive if the number and type of instructions collected from the bytecode do not differ by more than the predefined amounts from the number and type of instructions learned during training.
14. The system as recited in claim 10, wherein the post processor includes: means for sending an alarm to an upper-layer application upon determining that the input vector is intrusive; and means within the upper-layer application for rejecting the SigComp message.
15. The system as recited in claim 14, wherein the post processor includes means for writing an entry to an event log upon determining that the input vector is intrusive.
16. A classifying node for classifying bytecode in a received signaling compression (SigComp) message as intrusive or non-intrusive, said classifying node comprising: means for receiving from a pre-processor module, an input vector comprising a count of each type of instruction contained in the received bytecode; means for storing data indicating the number and type of instructions utilized in non-intrusive bytecode; means for determining whether the input vector is intrusive or non- intrusive by comparing the input vector with the stored data indicating the number and type of instructions utilized in non-intrusive bytecode, wherein the input vector is classified as intrusive if the number and type of instructions in the input vector differ by at least a predefined amount from the number and type of instructions utilized in non-intrusive bytecode, and the input vector is classified as non-intrusive if the number and type of instructions in the input vector differ by less than the predefined amount from the number and type of instructions utilized in non-intrusive bytecode; and means for communicating an indication of whether the input vector is intrusive or non-intrusive.
17. The classifying node as recited in claim 16, wherein the predefined amount is a threshold value corresponding to a user-defined confidence level that the input vector is non-intrusive.
18. The classifying node as recited in claim 16, further comprising means for communicating with a training module, wherein the training module provides sets of instructions associated with non-intrusive SigComp bytecodes of a plurality of different compression algorithms and known variations of the compression algorithms.
PCT/IB2008/001034 2007-05-03 2008-04-24 System and method for intrusion detection for communication networks utilizing signaling compression WO2008135822A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US91571207P 2007-05-03 2007-05-03
US60/915,712 2007-05-03

Publications (2)

Publication Number Publication Date
WO2008135822A2 true WO2008135822A2 (en) 2008-11-13
WO2008135822A3 WO2008135822A3 (en) 2009-05-07

Family

ID=39944072

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/001034 WO2008135822A2 (en) 2007-05-03 2008-04-24 System and method for intrusion detection for communication networks utilizing signaling compression

Country Status (1)

Country Link
WO (1) WO2008135822A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2833594A1 (en) * 2013-07-31 2015-02-04 Siemens Aktiengesellschaft Feature based three stage neural networks intrusion detection method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001031421A1 (en) * 1999-10-25 2001-05-03 Visa International Service Association Method and apparatus for training a neural network model for use in computer network intrusion detection
US20020188864A1 (en) * 2001-06-06 2002-12-12 Jackson Gary Manuel Intrusion prevention system
US7181768B1 (en) * 1999-10-28 2007-02-20 Cigital Computer intrusion detection system and method based on application monitoring

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001031421A1 (en) * 1999-10-25 2001-05-03 Visa International Service Association Method and apparatus for training a neural network model for use in computer network intrusion detection
US7181768B1 (en) * 1999-10-28 2007-02-20 Cigital Computer intrusion detection system and method based on application monitoring
US20020188864A1 (en) * 2001-06-06 2002-12-12 Jackson Gary Manuel Intrusion prevention system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
RICHARD PRICE ET AL: "Universal Decompressor Virtual Machine (UDVM); draft-ietf-rohc-sigcomp-udvm-00.txt" IETF STANDARD-WORKING-DRAFT, INTERNET ENGINEERING TASK FORCE, IETF, CH, vol. rohc, 28 January 2002 (2002-01-28), XP015026770 ISSN: 0000-0004 *
SURTEES M WEST SIEMENS/ROKE MANOR RESEARCH A: "Signaling Compression (SigComp) Users' Guide; rfc4464.txt" IETF STANDARD, INTERNET ENGINEERING TASK FORCE, IETF, CH, 1 May 2006 (2006-05-01), XP015054978 ISSN: 0000-0003 *
ZHANG C ET AL: "Intrusion detection using hierarchical neural networks" PATTERN RECOGNITION LETTERS, ELSEVIER, AMSTERDAM, NL, vol. 26, no. 6, 1 May 2005 (2005-05-01), pages 779-791, XP025292270 ISSN: 0167-8655 [retrieved on 2005-05-01] *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2833594A1 (en) * 2013-07-31 2015-02-04 Siemens Aktiengesellschaft Feature based three stage neural networks intrusion detection method and system

Also Published As

Publication number Publication date
WO2008135822A3 (en) 2009-05-07

Similar Documents

Publication Publication Date Title
Fernandes et al. A comprehensive survey on network anomaly detection
EP2661049B1 (en) System and method for malware detection
US11184387B2 (en) Network attack defense system and method
Tyagi et al. Attack and anomaly detection in IoT networks using supervised machine learning approaches.
Salahuddin et al. Time-based anomaly detection using autoencoder
Jalili et al. Detection of distributed denial of service attacks using statistical pre-processor and unsupervised neural networks
CN111935170A (en) Network abnormal flow detection method, device and equipment
EP1817888A1 (en) Method and system for managing denial of service situations
KR101980901B1 (en) SYSTEM AND METHOD FOR DDoS DETECTION BASED ON SVM-SOM COMBINATION
CN113098878A (en) Industrial internet intrusion detection method based on support vector machine and implementation system
Singh et al. Distributed denial of service attack detection using naive bayes classifier through info gain feature selection
Luong et al. DDoS attack detection and defense in SDN based on machine learning
Dubin et al. Real time video quality representation classification of encrypted http adaptive video streaming-the case of safari
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
Li Detection of ddos attacks based on dense neural networks, autoencoders and pearson correlation coefficient
Sree et al. Detection of http flooding attacks in cloud using dynamic entropy method
Najafimehr et al. DDoS attacks and machine‐learning‐based detection methods: A survey and taxonomy
Lobato et al. A fast and accurate threat detection and prevention architecture using stream processing
CN113839925A (en) IPv6 network intrusion detection method and system based on data mining technology
Diab et al. Denial of service detection using dynamic time warping
WO2008135822A2 (en) System and method for intrusion detection for communication networks utilizing signaling compression
CN113726724B (en) Method and gateway for evaluating and detecting security risk of home network environment
Nakahara et al. Machine Learning based Malware Traffic Detection on IoT Devices using Summarized Packet Data.
Bastola et al. Distributed denial of service attack detection on software defined networking using deep learning
CN114285606A (en) DDoS (distributed denial of service) multi-point cooperative defense method for Internet of things management

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08737546

Country of ref document: EP

Kind code of ref document: A2