[go: up one dir, main page]

WO2024235453A1 - Method, computer-readable medium and apparatus for sub-flow correction-based anomaly detection in content distribution network - Google Patents

Method, computer-readable medium and apparatus for sub-flow correction-based anomaly detection in content distribution network Download PDF

Info

Publication number
WO2024235453A1
WO2024235453A1 PCT/EP2023/063128 EP2023063128W WO2024235453A1 WO 2024235453 A1 WO2024235453 A1 WO 2024235453A1 EP 2023063128 W EP2023063128 W EP 2023063128W WO 2024235453 A1 WO2024235453 A1 WO 2024235453A1
Authority
WO
WIPO (PCT)
Prior art keywords
cdn
dns
correlation
anomaly
requests
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2023/063128
Other languages
French (fr)
Inventor
Oleg Pogorelik
Evyatar MUNK
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Priority to CN202380098326.XA priority Critical patent/CN121219698A/en
Priority to PCT/EP2023/063128 priority patent/WO2024235453A1/en
Publication of WO2024235453A1 publication Critical patent/WO2024235453A1/en
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the present disclosure relates generally to the field of data security and more specifically, to a method, a computer-readable medium, and an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN.
  • a content distribution network aims at providing high responsiveness and availability of internet services due to which, the resiliency of the CDN to distributed deny of services, DDoS, attacks is the highest priority.
  • DDoS attacks are one of the most prevalent types of cyber-attacks that are growing consistently from time to time.
  • the DDoS attacks are based on command and control, CNC, bots that are spread over the internet and are ready to execute controller commands that cause data as well as financial losses to a user.
  • the present disclosure provides a method and an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN.
  • the present disclosure provides a solution to the existing problem of how to detect the DoS attack and how to improve the overall data security of the computer systems in order to protect the computer system from the DoS attack.
  • An objective of the present disclosure is to provide a solution that overcomes at least partially the problems encountered in the prior art and provides an improved method and an improved apparatus for sub-flow correlation-based anomaly detection in the CDN, such as by providing an improved method of accuracy improvement in CDN distributed deny of service, DDoS detection systems.
  • the present disclosure provides a method of sub-flow correlation-based anomaly detection in a content distribution network, CDN.
  • the method comprises monitoring a number of domain name system, DNS, queries for one or more uniform resource locators, URLs, to a DNS server per a time slot and monitoring a number of transmission control protocol, TCP.
  • the method includes requests related to said URLs that are handled by the CDN, after said DNS queries, for each time slot, calculating a correlation value between the number of the DNS queries and the number of the related TCP requests, and detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation.
  • the method for sub-flow correlation-based anomaly detection CDN is used to detect network anomalies by monitoring the correlation between DNS queries and TCP requests. By calculating the correlation value between these two parameters, the method is used to identify any abnormal behavior in the CDN and further report it to the traffic enforcement system and the DDoS detection system. As a result, enables the DDoS detection system to prevent network outages, service disruptions, and security breaches, and improve the overall performance and reliability of the CDN. Additionally, the method for sub-flow is used to minimize the number of false positives and false negatives to further distinguish between DDoS attacks and campaigns and detect undetectable DDoS attacks and by detecting vulnerabilities. In a further implementation, the method includes reporting the detected network anomaly to a traffic enforcement system.
  • the reporting of the detected network anomaly to the traffic enforcement system enables the traffic enforcement system to resolve the detected network anomaly based on the nature of the anomaly, such as by blocking certain traffic or triggering an alert that can further prevent the CDN from the DDoS attack and thus, ensures the overall security of the CDN.
  • the method further includes reporting the detected network anomaly to distributed deny of services, DDoS, detection system for a DDoS attack detection.
  • the DDoS detection system for the DDoS attack detection can further take the required action to prevent the detected network anomaly to cause an adverse effect on the CDN, such as a data loss or financial loss caused by the DDoS attack.
  • the present disclosure provides an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN, configured for monitoring a number of domain name system, DNS, queries for one or more uniform resource locators, URLs, to a DNS server per a time slot by means of communicating with the DNS server, monitoring a number of transmission control protocol, TCP, requests related to said URLs that are handled by the CDN, after said DNS queries, by means of communicating with an edge cache server of the CDN. for each time slot, calculating a correlation value between the number of the DNS queries and the number of the related TCP requests, and detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation.
  • CDN content distribution network
  • the apparatus achieves all the advantages and technical effects of the method of the present disclosure.
  • FIG. 1 is a flowchart of a method of sub-flow correlation-based anomaly detection in a content distributed network, CDN, in accordance with an embodiment of the present disclosure
  • FIG. 2 is a block diagram that depicts an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN, in accordance with an embodiment of the present disclosure
  • FIG. 3 is an exemplary diagram that depicts an anomaly detection in a benign traffic, in accordance with an embodiment of the present disclosure
  • FIG. 4 is an exemplary diagram that depicts an anomaly detection in opposition to a benign traffic, in accordance with an embodiment of the present disclosure
  • FIG. 5 is an illustration that depicts a graphical representation of a continuous tracking of a sub-flow activation rate, in accordance with an embodiment of the present disclosure
  • FIG. 6 is an exemplary diagram that depicts a reporting of an anomaly to a traffic enforcement system, in accordance with an embodiment of the present disclosure
  • FIG. 7 is an exemplary diagram that depicts a system architecture configured to detect an anomaly in contributed distributed network (CDN), in accordance with an embodiment of the present disclosure.
  • FIG. 8 is an exemplary diagram that depicts various components of an apparatus for subflow correlation-based anomaly detection in a CDN, in accordance with an embodiment of the present disclosure.
  • an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent.
  • a non-underlined number relates to an item identified by a line linking the nonunderlined number to the item.
  • the non-underlined number is used to identify a general item at which the arrow is pointing.
  • FIG. l is a flowchart of a method of sub-flow correlation-based anomaly detection in a content distribution network, CDN, in accordance with an embodiment of the present disclosure.
  • FIG. 1 there is shown a flowchart of a method 100 of sub-flow correlation-based anomaly detection in the CDN.
  • the method 100 includes steps 102 to 108.
  • the method 100 includes monitoring a number of domain name system (DNS) queries for one or more uniform resource locators, URLs, to a DNS server per time slot.
  • DNS domain name system
  • the number of the DNS queries corresponds to requests that are transmitted to the DNS server, such as by means of communication for the one or more URLs to the DNS server per time slot that corresponds to a predetermined time interval during which the number of the DNS queries are monitored.
  • the method 100 includes monitoring a number of transmission control protocol, TCP, requests related to said URLs that are handled by the CDN, after said DNS queries.
  • TCP transmission control protocol
  • the method 100 includes monitoring the number of the DNS queries and the number of TCP requests for the one or more URLs that are handled by the CDN.
  • the monitoring of the number of the DNS queries and the TCP requests are further used to retrieve traffic statistics from the CDN (or from CDN modules). For example, the number of the DNS queries that are received per second is monitored, such as through the DNS server and a part of hypertext transfer protocol, HTTP, sessions are monitored, such as through an edge cache server to retrieve the traffic statistics.
  • the retrieved data such as the traffic statistics may vary from one computing system to another computing system and from one application to another application without limiting the scope of the present disclosure.
  • the number of the DNS queries includes fully qualified domain name, FQDN, and resolution requests
  • the TCP requests include HTTP connection initiation requests.
  • the number of the DNS queries includes the FQDN resolution requests, such as “@ ⁇ cdn ⁇ MyShop.CN” targeting the DNS server and the TCP requests that includes the HTTP connection initiation requests that are handled by the CDN.
  • the method 100 further includes calculating a correlation value between the number of the DNS queries and the number of the related TCP requests.
  • the correlation value is used to distinguish between the DDoS attack and a campaign-related high content access rates that are further used to track sub-flow activation rates continuously and evaluate the correlation between the selected tuples, such as between the number of the DNS queries and the number of related TCP requests.
  • the calculation of the correlation value between the number of the DNS queries and the number of TCP requests is beneficial to further analyze the correlation value in order to detect the DoS attack.
  • the method 100 further includes detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation.
  • the CDN includes the network anomaly.
  • the CDN does not include the network anomaly.
  • the evaluation of the correlation value such as through the measured parameters (e.g., the number of DNS queries and the number of TCP queries) is evaluated periodically to detect any network anomaly that may cause an adverse effect in the CDN.
  • the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics.
  • the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics that are predefined by an expert. In another implementation, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics and is updated based on the CDN normal or benign traffic statistics. Moreover, the normal correlation value is evaluated periodically to detect the network anomaly, such as an imbalance of sub-flow activation. In accordance with an embodiment, the method 100 further includes reporting the detected network anomaly to a traffic enforcement system.
  • the reporting of the detected network anomaly to the traffic enforcement system enables the traffic enforcement system to resolve the detected network anomaly based on the nature of the anomaly, such as by blocking certain traffic or triggering an alert that can further prevent the CDN from the DDoS attack and thus, ensures the overall security of the CDN.
  • the method 100 further includes reporting the detected network anomaly to the distributed deny of services (DDoS) detection system for the DDoS attack detection.
  • DDoS detection system for the DDoS attack detection can further take the required action to prevent the detected network anomaly to cause an adverse effect on the CDN, such as a data loss or financial loss caused by the DDoS attack.
  • the method 100 for sub-flow correlation-based anomaly detection CDN is used to detect network anomalies by monitoring the correlation between DNS queries and TCP requests. By calculating the correlation value between these two parameters, the method 100 is used to identify any abnormal behavior in the CDN and further report it to the traffic enforcement system and the DDoS detection system. As a result, the method 100 enables the DDoS detection system to prevent network outages, service disruptions, and security breaches, and improve the overall performance and reliability of the CDN. Additionally, the method 100 for sub-flow is used to minimize the number of false positives and false negatives to further distinguish between DDoS attacks and campaigns and detect undetectable DDoS attacks and by detecting vulnerabilities.
  • steps 102 to 108 are only illustrative, and other alternatives can also be provided where one or more steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
  • a computer-readable medium storing program codes comprising instructions that, when executed by a computer, cause the computer to implement the method 100.
  • the instructions are implemented on the computer-readable media, which include, but are not limited to, Electrically Erasable Programmable Read-Only Memory, EEPROM, Random Access Memory, RAM, Read-Only Memory, ROM, Hard Disk Drive, HDD, Flash memory, a Secure Digital, SD, card, Solid-State Drive, SSD, a computer-readable storage medium, and/or CPU cache memory.
  • the instructions are generated by a computer program, which is implemented in view of the method 100 of sub-flow correlationbased anomaly detection in the CDN.
  • FIG. 2 is a block diagram that depicts an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN, in accordance with an embodiment of the present disclosure.
  • a block diagram 200 that depicts an apparatus 202, a content distribution network, CDN, 204, and a domain name system, DNS, server 206.
  • the apparatus 202 for sub-flow correlation-based anomaly detection in the CDN 204.
  • the apparatus 202 provides an efficient and an accurate detection of distributed deny of service, DDoS, in the CDN.
  • the apparatus 202 is configured for monitoring a number of domain name system, DNS, queries for one or more uniform resource locators, URLs, to the DNS server 206 per a time slot by means of communicating with the DNS server 206.
  • the number of DNS queries corresponds to requests that are transmitted to the DNS server, such as by means of communication for the one or more URLs to the DNS server per time slot that corresponds to a predetermined time interval during which the number of DNS queries are monitored.
  • the apparatus 202 is configured for monitoring a number of transmission control protocol, TCP, requests related to said URLs that are handled by the CDN, after said DNS queries, by means of communicating with an edge cache server of the CDN.
  • the apparatus 202 is configured to monitor the number of the DNS queries and the number of TCP requests for the one or more URLs that are handled by the CDN.
  • the monitoring of the number of the DNS queries and the TCP requests are further used to retrieve traffic statistics from the CDN (or from CDN modules).
  • the number of the DNS queries that are received per second is monitored, such as through the DNS server and a part of hypertext transfer protocol, HTTP, sessions are monitored, such as through an edge cache server to retrieve the traffic statistics.
  • the retrieved data such as the traffic statistics, may vary from one computing system to another computing system and from one application to another application without limiting the scope of the present disclosure.
  • the correlation value is used to distinguish between a DDoS attack and a campaign-related high content access rate that is further used to track sub-flow activation rates continuously and evaluate the correlation between the selected tuples, such as between the number of the DNS queries and the number of related TCP requests.
  • the correlation value between the number of the DNS queries and the number of the related TCP requests is calculated through the following equation no. 1 : -
  • the calculation of the correlation value between the number of the DNS queries and the number of TCP requests is beneficial to further analyze the correlation value in order to detect the DoS attack.
  • the apparatus 202 is configured for detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation.
  • the CDN includes the network anomaly.
  • the calculated correlation value is not outside the predefined tolerance range of the normal correlation, then, the CDN does not include the network anomaly.
  • the evaluation of the correlation value such as through the measured parameters (e.g., the number of DNS queries and the number of TCP queries) is evaluated periodically to detect any network anomaly that may cause an adverse effect in the CDN.
  • the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics. In an implementation, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics that are predefined by an expert. In another implementation, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics and is updated based on the CDN normal or benign traffic statistics. Moreover, the normal correlation value is evaluated periodically to detect the network anomaly, such as an imbalance of sub-flow activation. In accordance with an embodiment, the apparatus 202 is further configured for reporting the detected network anomaly to a traffic enforcement system.
  • the apparatus 202 is configured for reporting the detected network anomaly to a distributed deny of services (DDoS) detection system for a DDoS attack detection.
  • DDoS detection system for the DDoS attack detection can further take the required action to prevent the detected network anomaly to cause an adverse effect on the CDN, such as a data loss or financial loss caused by the DDoS attack.
  • the apparatus 202 for sub-flow correlation-based anomaly detection CDN is configured to detect network anomalies by monitoring the correlation between DNS queries and TCP requests. By calculating the correlation value between these two parameters, the apparatus 202 is configured to identify any abnormal behavior in the CDN and further report it to the traffic enforcement system and the DDoS detection system. As a result, the apparatus 202 enables the DDoS detection system to prevent network outages, service disruptions, and security breaches, and improve the overall performance and reliability of the CDN. Additionally, the apparatus 202 for sub-flow is configured to minimize the number of false positives and false negatives to further distinguish between DDoS attacks and campaigns to detect undetectable DDoS attacks by detecting vulnerabilities.
  • FIG. 3 is an exemplary diagram that depicts an anomaly detection in a benign traffic, in accordance with an embodiment of the present disclosure.
  • FIG. 3 is described in conjunction with elements from FIG. 2.
  • an exemplary diagram 300 that depicts the anomaly detection in a benign traffic, such as by measuring a correlation value.
  • a client 302 an edge cache server 304, an origin 306, and a domain name system (DNS) server 308.
  • DNS domain name system
  • a number of TCP requests for the URLs are handled by the CDN 204, which is proportional to the fully qualified domain name, FQDN.
  • the DNS queries and the TCP requests are monitored to calculate the correlation value between the number of the DNS queries and the number of the TCP requests. Moreover, a calculated correlation value is used to detect a network anomaly, if the calculated correlation value is outside the predefined tolerance range of the normal correlation in a network traffic.
  • the DDoS Detection system retrieves the traffic statistics from the CDN, such as through the DNS server 308 (e.g., through a number of DNS requests/sec) and through the edge cache server 304 (e.g., TCP SYN - a part of HTTP session). For example, if there is a sudden increase in TCP requests without a corresponding increase in FQDN resolution requests, then, in that case, it may indicate that the traffic is malicious or abnormal.
  • a sudden decrease in FQDN resolution requests without a corresponding decrease in TCP requests could also indicate an anomaly. Thereafter, the deviation in the correlation value is used to identify anomalies and potential security threats, which allows the apparatus 202 (of FIG. 2) to detect the DDoS attack efficiently, quickly, and accurately.
  • FIG. 4 is an exemplary diagram that depicts an anomaly detection in opposition to a benign traffic, in accordance with an embodiment of the present disclosure.
  • FIG. 4 is described in conjunction with elements from FIGs. 2 and 3.
  • an exemplary diagram 400 that depicts the anomaly detection in opposition to a benign traffic, such as by measuring a correlation value.
  • a command and control bots such as a first command and control bot 402A, a second command and control bot 402B, and a third command and control bot 402C.
  • client 302 the edge cache server 304, and the DNS server 308.
  • the exemplary diagram 400 represents distributed deny of services, DDoS, in opposition to the benign traffic.
  • the DDoS traffic is created by the command and control bots, such as the first command and control bot 402A, the second command and control bot 402B, and the third command and control bot 402C.
  • the DDoS traffic created by the command and control bot has different correlation values between the domain name system server, DNS, and the transmission control protocol, TCP, requests.
  • the correlation value between the domain name system server, DNS, and the transmission control protocol, TCP, requests are calculated, such as by the apparatus 202 (of FIG. 2).
  • the calculated correlation value can be evaluated to detect any anomaly, such as by detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of the normal correlation, as described in detail in FIG. 1.
  • the evaluation of the correlation value between the DNS requests and the related TCP requests are used to detect any anomaly, such as any misbalance in traffic (i.e., a misbalance induced by HTTP connections initiations).
  • the anomaly can be detected efficiently and accurately, which can be later reported to the traffic enforcement system or the DDoS detection systems.
  • FIG. 5 is an illustration that depicts a graphical representation of a continuous tracking of a subflow activation rate, in accordance with an embodiment of the present disclosure.
  • FIG. 5 is shown in conjunction with elements from FIG. 2 to FIG. 4.
  • a graphical representation 500 with an X-axis 502A that represents edge requests and a Y-axis 502B that represents DNS requests (or the number of the DNS queries).
  • the graphical representation 500 represents a relation between the edge requests and the DNS requests (or the number of the DNS queries) for the detection of the anomaly.
  • the apparatus 202 (of FIG. 2) is configured to track sub-flow activation rates continuously and further calculate the correlation value between the selected tuples, such as the DNS queries and the TCP requests. The calculated value is used to detect the anomaly, if the calculated correlation value is outside the predefined tolerance range of the normal correlation or not.
  • the normal correlation values e.g., a correlation value 506 and the like
  • the correlation value is calculated while considering the imbalance of the sub-flow activation as a sign of the DDoS attack.
  • the apparatus 202 calculates the correlation value, such as through a selected requests rate that is measured using eFlow (i.e., the DNS queries, such as the FQDN requests) and through a selected TCP ACK (i.e., content browsing) that is related to the selected TCP ACK related to the establishment of the HTTP connection.
  • the anomaly is detected, if the calculated correlation value is outside the predefined tolerance range of the normal correlation, such as a second correlation value 508 and a third correlation value 510.
  • both the correlation values, such as the second correlation value 508 and the third correlation value 510 are reported to the DDoS detection system and the traffic enforcement system that is used to further determine the DDoS.
  • the second correlation value 508 is determined as the anomaly but the third correlation value 510 is determined as the DDoS.
  • the deviation in the calculated correlation value is used to efficiently and accurately detect the anomaly that may or may not be the DDoS attack.
  • FIG. 6 is an exemplary diagram that depicts a reporting of an anomaly to a traffic enforcement system, in accordance with an embodiment of the present disclosure.
  • FIG. 6 is described in conjunction with elements from FIGs. 2 and 5.
  • an exemplary diagram 600 that depicts the reporting of the anomaly to a traffic enforcement system 604
  • the apparatus 202 is configured to monitor the number of DNS queries for one or more URLs that are transmitted from the client 302 to the DNS server 308 (or global server load balancing, GSLB) per a time slot. Furthermore, the apparatus 202 is configured to monitor the number of TCP requests related to said URLs that are requested by the client 302 from the edge cache server 304. Furthermore, the network anomaly is detected, such as by calculating the correlation value. Moreover, if the calculated correlation value is outside a predefined tolerance range of a normal correlation, then, in that case, the network anomaly is detected. Furthermore, the detected network anomaly is reported to the traffic enforcement system 604, such as at operation 602.
  • the apparatus 202 (of FIG. 2) is configured to calculate the correlation between traffic parameters, such as the DNS queries and the TCP requests to further calculate a likelihood of the DDoS attack as a derivative of the patterns correlation.
  • the traffic enforcement system 604 detects the DDoS attack efficiently and accurately in order to prevent an adverse effect on the CDN.
  • FIG. 7 is an exemplary diagram that depicts an architecture to detect an anomaly in contributed distributed network, CDN, in accordance with an embodiment of the present disclosure.
  • FIG. 7 is described in conjunction with elements from FIGs. 2 to 6.
  • an exemplary diagram 700 that depicts the architecture for anomaly detection, such as by measuring a correlation value.
  • a DNS server 702 a client 704, a distributed deny services, DDoS, detection system 706, and edge nodes, such as a first edge node 708A, a second edge node 708B, up to nth edge node 708N.
  • DDoS distributed deny services
  • detection system 706 and edge nodes, such as a first edge node 708A, a second edge node 708B, up to nth edge node 708N.
  • the client 704 is configured to request one or more URLs from the DNS server 702 (or a GSLB), such as through the DNS queries (e.g., DNS query (Cn I)).
  • the DNS server 702 utilizes the existing traffic monitoring tools, such as NetStream, eFlow, and the like to calculate the correlation value. Such tools will aggregate raw labelled data regarding the selected traffic (e.g., DNS packet rate, TCP ACK, and the like.)
  • the client 704 is configured to send TCP requests that are related to the URLs to the edge cache servers (or edge nodes), such as the first edge node 708 A, the second edge node 708B, up to the nth edge node 708N.
  • the DDoS detection system 706 is configured to collect information, such as the calculated correlation value, which is reported by the apparatus 202. Thereafter, the DDoS detection system 706 is configured to alert the client about the DDoS attack. In addition, the DDoS detection system 706 learns and classifies the reported anomalies in order to analyse the observed traffic patterns and evaluate traffic correlation. Hence, after analysing the network traffic the apparatus 202 is configured to detect the DDoS attack efficiently and accurately.
  • FIG. 8 is an exemplary diagram that depicts various components of an apparatus, in accordance with an embodiment of the present disclosure.
  • FIG. 8 is described in conjunction with elements from FIGs. 2 to 7.
  • an exemplary diagram 800 that depicts the various components of the apparatus (i.e., the apparatus 202 of FIG. 2) for anomaly detection, such as by measuring a correlation value.
  • a traffic monitor 802 a raw data store 804, an anomaly classifier 806, a statistics processor 808, a cleaner 810, a pattern store 812, and a learning system 814.
  • the traffic monitor 802 is configured to collect traffic statistics, such as the data collected from DNS traffic parameters and edge traffic parameters and further store the collected data in the raw data store 804.
  • the raw data store 804 is configured to store frames of the traffic measurements, such as the traffic measurements for different flows.
  • the statistics processor 808 is configured to calculate the correlation values for specified traffics (e.g., DNS queries, L3/L4, or application requests). The calculated correlation values are further used to determine the network anomaly if the calculated correlation value deviates from the normal correlation value.
  • the learning system 814 is configured to create reference patterns for further use by the anomaly classifier 806, which is configured to analyse and classify the anomalies, such as by detecting anomalies.
  • the anomaly classifier 806 is configured to retrieve a specific pattern in order to evaluate run-time metrics that are provided by the statistics processor 808.
  • the created reference patterns are stored in the pattern store 812.
  • the cleaner 810 of the apparatus 202 is configured to manage the clean-up of outdated or edged data, such as by purging selected data from the raw data store 804.
  • the correlation value (or a correlation metric) is calculated as “R max ⁇ R or: R ⁇ R min” of the normal correlation value (or a reference correlation value)
  • the network anomalies that are detected by the apparatus 202 are further used to detect the DDoS attacks efficiently and accurately.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A sub-flow correlation-based anomaly detection provides for efficient and accurate detection of Distributed Deny of Services, DDoS, attacks in a content distribution network, CDN. Monitored is a number of domain name system, DNS, queries for one or more uniform resource locators, URLs, to a DNS server per time slot. Furthermore, monitored is a number of transmission control protocol, TCP, requests related to said URLs that are handled by the CDN after said DNS queries and for each time slot, a correlation value between the number of the DNS queries and the number of the related TCP requests is calculated. A network anomaly is detected if the calculated correlation value is outside a predefined tolerance range of a normal correlation.

Description

METHOD, COMPUTER-READABLE MEDIUM AND APPARATUS FOR SUBFLOW CORRECTION-BASED ANOMALY DETECTION IN CONTENT DISTRIBUTION NETWORK
TECHNICAL FIELD
The present disclosure relates generally to the field of data security and more specifically, to a method, a computer-readable medium, and an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN.
BACKGROUND
Typically, a content distribution network, CDN, aims at providing high responsiveness and availability of internet services due to which, the resiliency of the CDN to distributed deny of services, DDoS, attacks is the highest priority. Moreover, the DDoS attacks are one of the most prevalent types of cyber-attacks that are growing consistently from time to time. Generally, the DDoS attacks are based on command and control, CNC, bots that are spread over the internet and are ready to execute controller commands that cause data as well as financial losses to a user. Conventionally, certain attempts have been made to mitigate the risk of such attacks, for example through an accurate identification of the DDoS attacks, (e.g., SynFlood, IcmpFlood, PingOfDeath, and the like) through different DDoS detection systems with volumetric L3/L4- based evaluation of the traffic volumes and pre-defined thresholds. However, such DDoS detection systems fail to accurately detect the DDoS attacks due to many reasons, such as dropping legitimate traffic and the like. Moreover, the inaccurate rate limiting leads to a high false activation or deactivation of the protective traffic enforcement policies that cause a heavy impact on the quality of the service. As a result, there exists a technical problem of how to detect the DDoS attacks efficiently and accurately to improve the overall data security of the computer systems in order to protect the computer systems from the DDoS attacks.
Therefore, in light of the foregoing discussion, there exists a need to overcome the aforementioned drawbacks associated with the conventional methods and apparatuses to protect the computer systems from the DDoS attacks. SUMMARY
The present disclosure provides a method and an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN. The present disclosure provides a solution to the existing problem of how to detect the DoS attack and how to improve the overall data security of the computer systems in order to protect the computer system from the DoS attack. An objective of the present disclosure is to provide a solution that overcomes at least partially the problems encountered in the prior art and provides an improved method and an improved apparatus for sub-flow correlation-based anomaly detection in the CDN, such as by providing an improved method of accuracy improvement in CDN distributed deny of service, DDoS detection systems.
One or more objectives of the present disclosure are achieved by the solutions provided in the enclosed independent claims. Advantageous implementations of the present disclosure are further defined in the dependent claims.
In one aspect, the present disclosure provides a method of sub-flow correlation-based anomaly detection in a content distribution network, CDN. The method comprises monitoring a number of domain name system, DNS, queries for one or more uniform resource locators, URLs, to a DNS server per a time slot and monitoring a number of transmission control protocol, TCP. Furthermore, the method includes requests related to said URLs that are handled by the CDN, after said DNS queries, for each time slot, calculating a correlation value between the number of the DNS queries and the number of the related TCP requests, and detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation.
The method for sub-flow correlation-based anomaly detection CDN is used to detect network anomalies by monitoring the correlation between DNS queries and TCP requests. By calculating the correlation value between these two parameters, the method is used to identify any abnormal behavior in the CDN and further report it to the traffic enforcement system and the DDoS detection system. As a result, enables the DDoS detection system to prevent network outages, service disruptions, and security breaches, and improve the overall performance and reliability of the CDN. Additionally, the method for sub-flow is used to minimize the number of false positives and false negatives to further distinguish between DDoS attacks and campaigns and detect undetectable DDoS attacks and by detecting vulnerabilities. In a further implementation, the method includes reporting the detected network anomaly to a traffic enforcement system.
In such implementation, the reporting of the detected network anomaly to the traffic enforcement system enables the traffic enforcement system to resolve the detected network anomaly based on the nature of the anomaly, such as by blocking certain traffic or triggering an alert that can further prevent the CDN from the DDoS attack and thus, ensures the overall security of the CDN.
In a further implementation, the method further includes reporting the detected network anomaly to distributed deny of services, DDoS, detection system for a DDoS attack detection.
Advantageously, the DDoS detection system for the DDoS attack detection can further take the required action to prevent the detected network anomaly to cause an adverse effect on the CDN, such as a data loss or financial loss caused by the DDoS attack.
In another aspect, the present disclosure provides an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN, configured for monitoring a number of domain name system, DNS, queries for one or more uniform resource locators, URLs, to a DNS server per a time slot by means of communicating with the DNS server, monitoring a number of transmission control protocol, TCP, requests related to said URLs that are handled by the CDN, after said DNS queries, by means of communicating with an edge cache server of the CDN. for each time slot, calculating a correlation value between the number of the DNS queries and the number of the related TCP requests, and detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation.
The apparatus achieves all the advantages and technical effects of the method of the present disclosure.
It is to be appreciated that all the aforementioned implementation forms can be combined.
It has to be noted that all devices, elements, circuitry, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application as well as the functionalities described to be performed by the various entities are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities. Even if, in the following description of specific embodiments, a specific functionality or step to be performed by external entities is not reflected in the description of a specific detailed element of that entity which performs that specific step or functionality, it should be clear for a skilled person that these methods and functionalities can be implemented in respective software or hardware elements, or any kind of combination thereof. It will be appreciated that features of the present disclosure are susceptible to being combined in various combinations without departing from the scope of the present disclosure as defined by the appended claims.
Additional aspects, advantages, features and objects of the present disclosure would be made apparent from the drawings and the detailed description of the illustrative implementations construed in conjunction with the appended claims that follow.
BRIEF DESCRIPTION OF THE DRAWINGS
The summary above, as well as the following detailed description of illustrative embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the present disclosure, exemplary constructions of the disclosure are shown in the drawings. However, the present disclosure is not limited to specific methods and instrumentalities disclosed herein. Moreover, those in the art will understand that the drawings are not to scale. Wherever possible, like elements have been indicated by identical numbers.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the following diagrams wherein:
FIG. 1 is a flowchart of a method of sub-flow correlation-based anomaly detection in a content distributed network, CDN, in accordance with an embodiment of the present disclosure;
FIG. 2 is a block diagram that depicts an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN, in accordance with an embodiment of the present disclosure;
FIG. 3 is an exemplary diagram that depicts an anomaly detection in a benign traffic, in accordance with an embodiment of the present disclosure; FIG. 4 is an exemplary diagram that depicts an anomaly detection in opposition to a benign traffic, in accordance with an embodiment of the present disclosure;
FIG. 5 is an illustration that depicts a graphical representation of a continuous tracking of a sub-flow activation rate, in accordance with an embodiment of the present disclosure;
FIG. 6 is an exemplary diagram that depicts a reporting of an anomaly to a traffic enforcement system, in accordance with an embodiment of the present disclosure;
FIG. 7 is an exemplary diagram that depicts a system architecture configured to detect an anomaly in contributed distributed network (CDN), in accordance with an embodiment of the present disclosure; and
FIG. 8 is an exemplary diagram that depicts various components of an apparatus for subflow correlation-based anomaly detection in a CDN, in accordance with an embodiment of the present disclosure.
In the accompanying drawings, an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent. A non-underlined number relates to an item identified by a line linking the nonunderlined number to the item. When a number is non-underlined and accompanied by an associated arrow, the non-underlined number is used to identify a general item at which the arrow is pointing.
DETAILED DESCRIPTION OF EMBODIMENTS
The following detailed description illustrates embodiments of the present disclosure and ways in which they can be implemented. Although some modes of carrying out the present disclosure have been disclosed, those skilled in the art would recognize that other embodiments for carrying out or practicing the present disclosure are also possible.
FIG. l is a flowchart of a method of sub-flow correlation-based anomaly detection in a content distribution network, CDN, in accordance with an embodiment of the present disclosure. With reference to FIG. 1, there is shown a flowchart of a method 100 of sub-flow correlation-based anomaly detection in the CDN. The method 100 includes steps 102 to 108.
There is provided the method 100 of sub-flow correlation-based anomaly detection in the CDN. In other words, the method 100 provides an efficient and an accurate detection of volumetric distributed deny of service, DDoS attacks in the CDN. In operation, at step 102, the method 100 includes monitoring a number of domain name system (DNS) queries for one or more uniform resource locators, URLs, to a DNS server per time slot. In an implementation, the number of the DNS queries corresponds to requests that are transmitted to the DNS server, such as by means of communication for the one or more URLs to the DNS server per time slot that corresponds to a predetermined time interval during which the number of the DNS queries are monitored. Furthermore, at step 104, the method 100 includes monitoring a number of transmission control protocol, TCP, requests related to said URLs that are handled by the CDN, after said DNS queries. In other words, the method 100 includes monitoring the number of the DNS queries and the number of TCP requests for the one or more URLs that are handled by the CDN. The monitoring of the number of the DNS queries and the TCP requests are further used to retrieve traffic statistics from the CDN (or from CDN modules). For example, the number of the DNS queries that are received per second is monitored, such as through the DNS server and a part of hypertext transfer protocol, HTTP, sessions are monitored, such as through an edge cache server to retrieve the traffic statistics. However, the retrieved data, such as the traffic statistics may vary from one computing system to another computing system and from one application to another application without limiting the scope of the present disclosure. In accordance with an embodiment, the number of the DNS queries includes fully qualified domain name, FQDN, and resolution requests, and the TCP requests include HTTP connection initiation requests. For example, the number of the DNS queries includes the FQDN resolution requests, such as “@{cdn}MyShop.CN” targeting the DNS server and the TCP requests that includes the HTTP connection initiation requests that are handled by the CDN. Furthermore, at step 106, for each time slot, the method 100 further includes calculating a correlation value between the number of the DNS queries and the number of the related TCP requests. In an implementation, the correlation value is used to distinguish between the DDoS attack and a campaign-related high content access rates that are further used to track sub-flow activation rates continuously and evaluate the correlation between the selected tuples, such as between the number of the DNS queries and the number of related TCP requests. Moreover, the correlation value between the number of the DNS queries and the number of the related TCP requests is calculated through the following equation no. (1): - corrXY = pyy- = £"[(% — x)(F — y-)]/(axo'y-) (1) As a result, the calculation of the correlation value between the number of the DNS queries and the number of TCP requests is beneficial to further analyze the correlation value in order to detect the DoS attack.
At step 108, the method 100 further includes detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation. In an implementation, if the calculated correlation value is outside the predefined tolerance range of the normal correlation, then, the CDN includes the network anomaly. In another implementation, if the calculated correlation value is not outside the predefined tolerance range of the normal correlation, then, the CDN does not include the network anomaly. As a result, the evaluation of the correlation value, such as through the measured parameters (e.g., the number of DNS queries and the number of TCP queries) is evaluated periodically to detect any network anomaly that may cause an adverse effect in the CDN. In accordance with an embodiment, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics. In an implementation, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics that are predefined by an expert. In another implementation, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics and is updated based on the CDN normal or benign traffic statistics. Moreover, the normal correlation value is evaluated periodically to detect the network anomaly, such as an imbalance of sub-flow activation. In accordance with an embodiment, the method 100 further includes reporting the detected network anomaly to a traffic enforcement system. The reporting of the detected network anomaly to the traffic enforcement system enables the traffic enforcement system to resolve the detected network anomaly based on the nature of the anomaly, such as by blocking certain traffic or triggering an alert that can further prevent the CDN from the DDoS attack and thus, ensures the overall security of the CDN. In accordance with an embodiment, the method 100 further includes reporting the detected network anomaly to the distributed deny of services (DDoS) detection system for the DDoS attack detection. As a result, the DDoS detection system for the DDoS attack detection can further take the required action to prevent the detected network anomaly to cause an adverse effect on the CDN, such as a data loss or financial loss caused by the DDoS attack.
The method 100 for sub-flow correlation-based anomaly detection CDN is used to detect network anomalies by monitoring the correlation between DNS queries and TCP requests. By calculating the correlation value between these two parameters, the method 100 is used to identify any abnormal behavior in the CDN and further report it to the traffic enforcement system and the DDoS detection system. As a result, the method 100 enables the DDoS detection system to prevent network outages, service disruptions, and security breaches, and improve the overall performance and reliability of the CDN. Additionally, the method 100 for sub-flow is used to minimize the number of false positives and false negatives to further distinguish between DDoS attacks and campaigns and detect undetectable DDoS attacks and by detecting vulnerabilities.
The steps 102 to 108 are only illustrative, and other alternatives can also be provided where one or more steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
There is provided a computer-readable medium storing program codes comprising instructions that, when executed by a computer, cause the computer to implement the method 100. In an example, the instructions are implemented on the computer-readable media, which include, but are not limited to, Electrically Erasable Programmable Read-Only Memory, EEPROM, Random Access Memory, RAM, Read-Only Memory, ROM, Hard Disk Drive, HDD, Flash memory, a Secure Digital, SD, card, Solid-State Drive, SSD, a computer-readable storage medium, and/or CPU cache memory. In an example, the instructions are generated by a computer program, which is implemented in view of the method 100 of sub-flow correlationbased anomaly detection in the CDN.
FIG. 2 is a block diagram that depicts an apparatus for sub-flow correlation-based anomaly detection in a content distribution network, CDN, in accordance with an embodiment of the present disclosure. With reference to FIG. 2, there is shown a block diagram 200 that depicts an apparatus 202, a content distribution network, CDN, 204, and a domain name system, DNS, server 206.
There is provided the apparatus 202 for sub-flow correlation-based anomaly detection in the CDN 204. In other words, the apparatus 202 provides an efficient and an accurate detection of distributed deny of service, DDoS, in the CDN.
In operation, the apparatus 202 is configured for monitoring a number of domain name system, DNS, queries for one or more uniform resource locators, URLs, to the DNS server 206 per a time slot by means of communicating with the DNS server 206. In an implementation, the number of DNS queries corresponds to requests that are transmitted to the DNS server, such as by means of communication for the one or more URLs to the DNS server per time slot that corresponds to a predetermined time interval during which the number of DNS queries are monitored. Furthermore, the apparatus 202 is configured for monitoring a number of transmission control protocol, TCP, requests related to said URLs that are handled by the CDN, after said DNS queries, by means of communicating with an edge cache server of the CDN. In other words, the apparatus 202 is configured to monitor the number of the DNS queries and the number of TCP requests for the one or more URLs that are handled by the CDN. The monitoring of the number of the DNS queries and the TCP requests are further used to retrieve traffic statistics from the CDN (or from CDN modules). For example, the number of the DNS queries that are received per second is monitored, such as through the DNS server and a part of hypertext transfer protocol, HTTP, sessions are monitored, such as through an edge cache server to retrieve the traffic statistics. However, the retrieved data, such as the traffic statistics, may vary from one computing system to another computing system and from one application to another application without limiting the scope of the present disclosure. Furthermore, for each time slot, calculate a correlation value between the number of the DNS queries and the number of the related TCP requests. In an implementation, the correlation value is used to distinguish between a DDoS attack and a campaign-related high content access rate that is further used to track sub-flow activation rates continuously and evaluate the correlation between the selected tuples, such as between the number of the DNS queries and the number of related TCP requests. Moreover, the correlation value between the number of the DNS queries and the number of the related TCP requests is calculated through the following equation no. 1 : -
[corr _XY = p_XY = E[(X - fe)(F - jUr)]/(cr_X a_Y) (1)
As a result, the calculation of the correlation value between the number of the DNS queries and the number of TCP requests is beneficial to further analyze the correlation value in order to detect the DoS attack.
Furthermore, the apparatus 202 is configured for detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation. In an implementation, if the calculated correlation value is outside the predefined tolerance range of the normal correlation, then, the CDN includes the network anomaly. In another implementation, if the calculated correlation value is not outside the predefined tolerance range of the normal correlation, then, the CDN does not include the network anomaly. As a result, the evaluation of the correlation value, such as through the measured parameters (e.g., the number of DNS queries and the number of TCP queries) is evaluated periodically to detect any network anomaly that may cause an adverse effect in the CDN.
In accordance with an embodiment, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics. In an implementation, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics that are predefined by an expert. In another implementation, the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics and is updated based on the CDN normal or benign traffic statistics. Moreover, the normal correlation value is evaluated periodically to detect the network anomaly, such as an imbalance of sub-flow activation. In accordance with an embodiment, the apparatus 202 is further configured for reporting the detected network anomaly to a traffic enforcement system. The reporting of the detected network anomaly to the traffic enforcement system enables the traffic enforcement system to resolve the detected network anomaly based on the nature of the anomaly, such as by blocking certain traffic or triggering an alert that can further prevent the CDN from the DDoS attack and thus, ensures the overall security of the CDN. In accordance with an embodiment, the apparatus 202 is configured for reporting the detected network anomaly to a distributed deny of services (DDoS) detection system for a DDoS attack detection. As a result, the DDoS detection system for the DDoS attack detection can further take the required action to prevent the detected network anomaly to cause an adverse effect on the CDN, such as a data loss or financial loss caused by the DDoS attack.
The apparatus 202 for sub-flow correlation-based anomaly detection CDN is configured to detect network anomalies by monitoring the correlation between DNS queries and TCP requests. By calculating the correlation value between these two parameters, the apparatus 202 is configured to identify any abnormal behavior in the CDN and further report it to the traffic enforcement system and the DDoS detection system. As a result, the apparatus 202 enables the DDoS detection system to prevent network outages, service disruptions, and security breaches, and improve the overall performance and reliability of the CDN. Additionally, the apparatus 202 for sub-flow is configured to minimize the number of false positives and false negatives to further distinguish between DDoS attacks and campaigns to detect undetectable DDoS attacks by detecting vulnerabilities.
FIG. 3 is an exemplary diagram that depicts an anomaly detection in a benign traffic, in accordance with an embodiment of the present disclosure. FIG. 3 is described in conjunction with elements from FIG. 2. With reference to FIG. 3 there is shown an exemplary diagram 300 that depicts the anomaly detection in a benign traffic, such as by measuring a correlation value.
In an exemplary scenario, there is shown a client 302, an edge cache server 304, an origin 306, and a domain name system (DNS) server 308. During a benign traffic, a number of TCP requests for the URLs are handled by the CDN 204, which is proportional to the fully qualified domain name, FQDN. Moreover, the apparatus 202 (of FIG. 2) is configured to monitor a number of DNS queries, such as FQDN= “@{cdn}MyShop.CN” that is transmitted by the client 302 to the DNS server 308, such as at operation 310. Furthermore, the number of TCP requests (e.g., an “IPV4=11.35.16.201” request) are requested by the client 302 from the edge cache server 304. The DNS queries and the TCP requests are monitored to calculate the correlation value between the number of the DNS queries and the number of the TCP requests. Moreover, a calculated correlation value is used to detect a network anomaly, if the calculated correlation value is outside the predefined tolerance range of the normal correlation in a network traffic. In addition, the DDoS Detection system retrieves the traffic statistics from the CDN, such as through the DNS server 308 (e.g., through a number of DNS requests/sec) and through the edge cache server 304 (e.g., TCP SYN - a part of HTTP session). For example, if there is a sudden increase in TCP requests without a corresponding increase in FQDN resolution requests, then, in that case, it may indicate that the traffic is malicious or abnormal. Similarly, a sudden decrease in FQDN resolution requests without a corresponding decrease in TCP requests could also indicate an anomaly. Thereafter, the deviation in the correlation value is used to identify anomalies and potential security threats, which allows the apparatus 202 (of FIG. 2) to detect the DDoS attack efficiently, quickly, and accurately.
FIG. 4 is an exemplary diagram that depicts an anomaly detection in opposition to a benign traffic, in accordance with an embodiment of the present disclosure. FIG. 4 is described in conjunction with elements from FIGs. 2 and 3. With reference to FIG. 4 there is shown an exemplary diagram 400 that depicts the anomaly detection in opposition to a benign traffic, such as by measuring a correlation value. There are further shown a command and control bots, such as a first command and control bot 402A, a second command and control bot 402B, and a third command and control bot 402C. There is further shown the client 302, the edge cache server 304, and the DNS server 308.
In an implementation, the exemplary diagram 400 represents distributed deny of services, DDoS, in opposition to the benign traffic. The DDoS traffic is created by the command and control bots, such as the first command and control bot 402A, the second command and control bot 402B, and the third command and control bot 402C. Moreover, the DDoS traffic created by the command and control bot has different correlation values between the domain name system server, DNS, and the transmission control protocol, TCP, requests. The correlation value between the domain name system server, DNS, and the transmission control protocol, TCP, requests are calculated, such as by the apparatus 202 (of FIG. 2). Therefore, the calculated correlation value can be evaluated to detect any anomaly, such as by detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of the normal correlation, as described in detail in FIG. 1. Thus, the evaluation of the correlation value between the DNS requests and the related TCP requests are used to detect any anomaly, such as any misbalance in traffic (i.e., a misbalance induced by HTTP connections initiations). Hence, the anomaly can be detected efficiently and accurately, which can be later reported to the traffic enforcement system or the DDoS detection systems.
FIG. 5 is an illustration that depicts a graphical representation of a continuous tracking of a subflow activation rate, in accordance with an embodiment of the present disclosure. FIG. 5 is shown in conjunction with elements from FIG. 2 to FIG. 4. With reference to FIG. 5, there is shown a graphical representation 500 with an X-axis 502A that represents edge requests and a Y-axis 502B that represents DNS requests (or the number of the DNS queries).
The graphical representation 500 represents a relation between the edge requests and the DNS requests (or the number of the DNS queries) for the detection of the anomaly. The apparatus 202 (of FIG. 2) is configured to track sub-flow activation rates continuously and further calculate the correlation value between the selected tuples, such as the DNS queries and the TCP requests. The calculated value is used to detect the anomaly, if the calculated correlation value is outside the predefined tolerance range of the normal correlation or not. Moreover, the normal correlation values (e.g., a correlation value 506 and the like) are represented by the internal area of the tolerance bands. For example, the internal area, which is represented through a dotted line 504. The correlation value is calculated while considering the imbalance of the sub-flow activation as a sign of the DDoS attack. The apparatus 202 calculates the correlation value, such as through a selected requests rate that is measured using eFlow (i.e., the DNS queries, such as the FQDN requests) and through a selected TCP ACK (i.e., content browsing) that is related to the selected TCP ACK related to the establishment of the HTTP connection. Moreover, the anomaly is detected, if the calculated correlation value is outside the predefined tolerance range of the normal correlation, such as a second correlation value 508 and a third correlation value 510. However, both the correlation values, such as the second correlation value 508 and the third correlation value 510 are reported to the DDoS detection system and the traffic enforcement system that is used to further determine the DDoS. For example, the second correlation value 508 is determined as the anomaly but the third correlation value 510 is determined as the DDoS. Thus, the deviation in the calculated correlation value is used to efficiently and accurately detect the anomaly that may or may not be the DDoS attack.
FIG. 6 is an exemplary diagram that depicts a reporting of an anomaly to a traffic enforcement system, in accordance with an embodiment of the present disclosure. FIG. 6 is described in conjunction with elements from FIGs. 2 and 5. With reference to FIG. 6 there is shown an exemplary diagram 600 that depicts the reporting of the anomaly to a traffic enforcement system 604
In an exemplary scenario, the apparatus 202 is configured to monitor the number of DNS queries for one or more URLs that are transmitted from the client 302 to the DNS server 308 (or global server load balancing, GSLB) per a time slot. Furthermore, the apparatus 202 is configured to monitor the number of TCP requests related to said URLs that are requested by the client 302 from the edge cache server 304. Furthermore, the network anomaly is detected, such as by calculating the correlation value. Moreover, if the calculated correlation value is outside a predefined tolerance range of a normal correlation, then, in that case, the network anomaly is detected. Furthermore, the detected network anomaly is reported to the traffic enforcement system 604, such as at operation 602. Considering traffic imbalance between the number of the CDN requests and content queries targeting related edge nodes as a sign of a DDoS attack, the apparatus 202 (of FIG. 2) is configured to calculate the correlation between traffic parameters, such as the DNS queries and the TCP requests to further calculate a likelihood of the DDoS attack as a derivative of the patterns correlation. As a result, the traffic enforcement system 604 detects the DDoS attack efficiently and accurately in order to prevent an adverse effect on the CDN.
FIG. 7 is an exemplary diagram that depicts an architecture to detect an anomaly in contributed distributed network, CDN, in accordance with an embodiment of the present disclosure. FIG. 7 is described in conjunction with elements from FIGs. 2 to 6. With reference to FIG. 7 there is shown an exemplary diagram 700 that depicts the architecture for anomaly detection, such as by measuring a correlation value. There is shown a DNS server 702, a client 704, a distributed deny services, DDoS, detection system 706, and edge nodes, such as a first edge node 708A, a second edge node 708B, up to nth edge node 708N.
In an implementation scenario, the client 704 is configured to request one or more URLs from the DNS server 702 (or a GSLB), such as through the DNS queries (e.g., DNS query (Cn I)). Moreover, the DNS server 702 utilizes the existing traffic monitoring tools, such as NetStream, eFlow, and the like to calculate the correlation value. Such tools will aggregate raw labelled data regarding the selected traffic (e.g., DNS packet rate, TCP ACK, and the like.) Similarly, the client 704 is configured to send TCP requests that are related to the URLs to the edge cache servers (or edge nodes), such as the first edge node 708 A, the second edge node 708B, up to the nth edge node 708N. Furthermore, the DDoS detection system 706 is configured to collect information, such as the calculated correlation value, which is reported by the apparatus 202. Thereafter, the DDoS detection system 706 is configured to alert the client about the DDoS attack. In addition, the DDoS detection system 706 learns and classifies the reported anomalies in order to analyse the observed traffic patterns and evaluate traffic correlation. Hence, after analysing the network traffic the apparatus 202 is configured to detect the DDoS attack efficiently and accurately.
FIG. 8 is an exemplary diagram that depicts various components of an apparatus, in accordance with an embodiment of the present disclosure. FIG. 8 is described in conjunction with elements from FIGs. 2 to 7. With reference to FIG. 8 there is shown an exemplary diagram 800 that depicts the various components of the apparatus (i.e., the apparatus 202 of FIG. 2) for anomaly detection, such as by measuring a correlation value. There is shown a traffic monitor 802, a raw data store 804, an anomaly classifier 806, a statistics processor 808, a cleaner 810, a pattern store 812, and a learning system 814. In an implementation scenario, the traffic monitor 802 is configured to collect traffic statistics, such as the data collected from DNS traffic parameters and edge traffic parameters and further store the collected data in the raw data store 804. Furthermore, the raw data store 804 is configured to store frames of the traffic measurements, such as the traffic measurements for different flows. Thereafter, the statistics processor 808 is configured to calculate the correlation values for specified traffics (e.g., DNS queries, L3/L4, or application requests). The calculated correlation values are further used to determine the network anomaly if the calculated correlation value deviates from the normal correlation value. Moreover, the learning system 814 is configured to create reference patterns for further use by the anomaly classifier 806, which is configured to analyse and classify the anomalies, such as by detecting anomalies. The anomaly classifier 806 is configured to retrieve a specific pattern in order to evaluate run-time metrics that are provided by the statistics processor 808. Moreover, the created reference patterns are stored in the pattern store 812. The cleaner 810 of the apparatus 202 is configured to manage the clean-up of outdated or edged data, such as by purging selected data from the raw data store 804. In an implementation, if the correlation value (or a correlation metric) is calculated as “R max < R or: R < R min” of the normal correlation value (or a reference correlation value), then, in that case, the DDoS attack is detected. However, the difference between the exceptional current value and MAX/MIN boundary in percentage (%) is calculated as “L = 1 - ABS (R - R min/max)/100”. As a result, the network anomalies that are detected by the apparatus 202 are further used to detect the DDoS attacks efficiently and accurately.
Modifications to embodiments of the present disclosure described in the foregoing are possible without departing from the scope of the present disclosure as defined by the accompanying claims. Expressions such as "including", "comprising", "incorporating", "have", "is" used to describe and claim the present disclosure are intended to be construed in a non-exclusive manner, namely allowing for items, components or elements not explicitly described also to be present. Reference to the singular is also to be construed to relate to the plural. The word "exemplary" is used herein to mean "serving as an example, instance or illustration". Any embodiment described as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or to exclude the incorporation of features from other embodiments. The word "optionally" is used herein to mean "is provided in some embodiments and not provided in other embodiments". It is appreciated that certain features of the present disclosure, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable combination or as suitable in any other described embodiment of the disclosure.

Claims

1. A method (100) of sub-flow correlation-based anomaly detection in a Content Distribution Network, CDN (204), the method (100) comprising: monitoring a number of Domain Name System, DNS, queries for one or more Uniform Resource Locators, URLs, to a DNS server per a time slot, monitoring a number of Transmission Control Protocol, TCP, requests related to said URLs that are handled by the CDN (204), after said DNS queries, for each time slot, calculating a correlation value between the number of the DNS queries and the number of the related TCP requests, and detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation.
2. The method (100) of claim 1, wherein the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics.
3. The method (100) of claim 1 or 2, wherein the DNS queries comprise Fully Qualified Domain Name, FQDN, resolution requests, and the TCP requests comprise Hypertext Transfer Protocol, HTTP, connection initiation requests.
4. The method (100) of any of claims 1 to 4, further comprising reporting the detected network anomaly to a traffic enforcement system.
5. The method (100) of any of claims 1 to 5, further comprising reporting the detected network anomaly to a Distributed Deny of Services, DDoS, detection system for a DDoS attack detection.
6. A non-transitory computer readable medium storing program codes causing a computer to implement a method of sub-flow correlation-based anomaly detection in a CDN (204) according to any of claims 1 to 5.
7. An apparatus (202) for sub-flow correlation-based anomaly detection in a Content Distribution Network, CDN (204), configured for: monitoring a number of Domain Name System, DNS, queries for one or more Uniform Resource Locators, URLs, to a DNS server (206) per a time slot by means of communicating with the DNS server (206), monitoring a number of Transmission Control Protocol, TCP, requests related to said URLs that are handled by the CDN (204), after said DNS queries, by means of communicating with an edge cache server of the CDN (204), for each time slot, calculating a correlation value between the number of the DNS queries and the number of the related TCP requests, and detecting a network anomaly if the calculated correlation value is outside a predefined tolerance range of a normal correlation.
8. The apparatus (202) of claim 7, wherein the tolerance range of the normal correlation is predefined based on the CDN benign traffic statistics.
9. The apparatus (202) of claim 7 or 8, being further configured for reporting the detected network anomaly to a traffic enforcement system.
10. The apparatus (202) of any of claims 7 to 9, being configured for reporting the detected network anomaly to a Distributed Deny of Services, DDoS, detection system for a
DDoS attack detection.
PCT/EP2023/063128 2023-05-16 2023-05-16 Method, computer-readable medium and apparatus for sub-flow correction-based anomaly detection in content distribution network Pending WO2024235453A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202380098326.XA CN121219698A (en) 2023-05-16 2023-05-16 Methods, computer-readable media, and apparatus for anomaly detection based on substream correlation in content delivery networks.
PCT/EP2023/063128 WO2024235453A1 (en) 2023-05-16 2023-05-16 Method, computer-readable medium and apparatus for sub-flow correction-based anomaly detection in content distribution network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/063128 WO2024235453A1 (en) 2023-05-16 2023-05-16 Method, computer-readable medium and apparatus for sub-flow correction-based anomaly detection in content distribution network

Publications (1)

Publication Number Publication Date
WO2024235453A1 true WO2024235453A1 (en) 2024-11-21

Family

ID=86605776

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2023/063128 Pending WO2024235453A1 (en) 2023-05-16 2023-05-16 Method, computer-readable medium and apparatus for sub-flow correction-based anomaly detection in content distribution network

Country Status (2)

Country Link
CN (1) CN121219698A (en)
WO (1) WO2024235453A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030004689A1 (en) * 2001-06-13 2003-01-02 Gupta Ramesh M. Hierarchy-based method and apparatus for detecting attacks on a computer system
CN101841435A (en) * 2010-01-18 2010-09-22 中国科学院计算机网络信息中心 Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow
US20110197278A1 (en) * 2007-01-23 2011-08-11 Alcatel Lucent Containment mechanism for potentially contaminated end systems

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030004689A1 (en) * 2001-06-13 2003-01-02 Gupta Ramesh M. Hierarchy-based method and apparatus for detecting attacks on a computer system
US20110197278A1 (en) * 2007-01-23 2011-08-11 Alcatel Lucent Containment mechanism for potentially contaminated end systems
CN101841435A (en) * 2010-01-18 2010-09-22 中国科学院计算机网络信息中心 Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow

Also Published As

Publication number Publication date
CN121219698A (en) 2025-12-26

Similar Documents

Publication Publication Date Title
US10721243B2 (en) Apparatus, system and method for identifying and mitigating malicious network threats
KR101061375B1 (en) JR type based DDoS attack detection and response device
KR101077135B1 (en) Apparatus for detecting and filtering application layer DDoS Attack of web service
US7418733B2 (en) Determining threat level associated with network activity
US11184387B2 (en) Network attack defense system and method
US20160182542A1 (en) Denial of service and other resource exhaustion defense and mitigation using transition tracking
AU2011305214B2 (en) IP prioritization and scoring system for DDoS detection and mitigation
EP1806888B1 (en) Denial-of-service attack detecting system, and denial-of-service attack detecting method
US20180336353A1 (en) Risk scores for entities
JP2018530066A (en) Security incident detection due to unreliable security events
CN107733699A (en) Internet assets security management method, system, equipment and readable storage medium storing program for executing
KR101061377B1 (en) Distribution based DDoS attack detection and response device
US8549623B1 (en) Detecting suspicious domains using domain profiling
Sree et al. Detection of http flooding attacks in cloud using dynamic entropy method
WO2024235453A1 (en) Method, computer-readable medium and apparatus for sub-flow correction-based anomaly detection in content distribution network
Cai et al. A behavior-based method for detecting DNS amplification attacks
Cao et al. DDoS detection systems for cloud data storage
EP4648358A1 (en) Adaptive multi-dimensional anomaly detection
Bou-Harb et al. On detecting and clustering distributed cyber scanning
KR102838215B1 (en) Network outlier detection device for detecting threat on newtwork, method of operating the same, and computer program for executing the method
Veerapandi DNS-DoS Detection System using Hybrid Domain Features-Based Support Vector Machine
Ikuomola et al. An Improved Cost-Sensitive Intrusion Response Model.
Huba et al. Towards a web tracking profiling algorithm
CN120263477A (en) A financial risk intelligent early warning method and system based on big data technology
Gregoire et al. Measuring Defense Systems Against Flooding Attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23727321

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE