[go: up one dir, main page]

GB2466922A - Monitoring behaviour in a network to determine chance that communication is undesirable - Google Patents

Monitoring behaviour in a network to determine chance that communication is undesirable Download PDF

Info

Publication number
GB2466922A
GB2466922A GB0900192A GB0900192A GB2466922A GB 2466922 A GB2466922 A GB 2466922A GB 0900192 A GB0900192 A GB 0900192A GB 0900192 A GB0900192 A GB 0900192A GB 2466922 A GB2466922 A GB 2466922A
Authority
GB
United Kingdom
Prior art keywords
network
data
nodes
illegal
detection units
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0900192A
Other versions
GB0900192D0 (en
Inventor
Martin Paul North
Neil Anthony John Styles
Robert Peter West
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB0900192A priority Critical patent/GB2466922A/en
Publication of GB0900192D0 publication Critical patent/GB0900192D0/en
Publication of GB2466922A publication Critical patent/GB2466922A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L29/06884
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/103Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for protecting copyright

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

System to detect and block the transmission of illicit illegal or pirated copyright material across data networks by monitoring and tracking the reputation of the nodes concerned, within data networks which are sending and receiving the copyright data, and analysing the characteristics of the traffic flow. The system consists of detection units which are placed inside the data networks, such as peer to peer systems, and a central control unit which collates all the results from the remote detection units. The system includes a feedback loop, where the detection units analyse the characteristics of the traffic flow and informs the central control unit, which receives updates from other detection units in other parts of the network. Such updates are pushed back to the detection unit so that it can make a more accurate detection of material that might want to be blocked by the internet service provider, such as illegal images, viruses or illegal emails. This invention is also suitable for IPv4 and IPv6 networks.

Description

Copyright data detector and btocker.
Background
Recently there has been large growth n the downloading of illegal, copyright and protected material from the internet. There are many sources for the material, such as peer-to-peer (P2P) networks, newsgroups and many others.
It has become increasingly difficult to detect this type of communication, and to detect whether or not copyrighted material is being distributed. If you cannot detect whether copyrighted material is being transmitted, you cannot block that communication.
Most methods of identifying copyright material being transmitted involve looking at the actual data itself, and comparing that to a known (but limited) list of data files, or by analysing the type of computer application being used to transmit the data and identifying this type of traffic by deep packet inspection. Existing remedies are slow, expensive and have proved largely ineffective as new copyright material is released every day, as are new PC applications. Therefore the copyright detectors have to keep current with new and evolving material. Furthermore, those detectors simply looking at the computer application sending the data do not address the issue of detecting whether or not copyright material is being redistributed. It should be taken into account that a computer application might be transmitting non-copyright or even legitimate copyrighted material. For example, a legally purchased music album or video may be downloaded from an online music retailer, or television programmes might be downloaded from broadcasters such as the BBC or Sky.
Additionally, detection units that analyse the content of the data or the computer application being used have a problem in scalability. To apply such detectors to massive, high capacity networks such as those found in major telecommunications providers, the computational power of the detection units makes them difficult to deploy and very expensive.
Further more, many computer applications that transmit copyright material are evolving and have already started to encrypt the content, which makes detection of the material by inspecting the data difficult or even impossible.
Statement of Invention
To overcome this, the present invention proposes a new method to detect and block copyrighted and illegal material from being transmitted across networks without the need to gain knowledge of the application or the material being transmitted This is achieved by analysing communication flows between points within a network, associating network points known to be holding copyright material with other points that communicate with them. Analysis is also done on the characteristics of the data flow, the characteristics of the points of the network involved in the transmission and receipt of the data. All factors are taken together to then derive a conclusion on the likelihood of iUegal copyright data being transmitted. The transmission can then be blocked or montored.
Advantages The invention detects and blocks copyright material from being transmitted on networks without having to analyse the material being transmitted or the protocol being used to transmit it.
The invention eliminates the need to maintain a ist of computer application signatures, as there will be no need to analyse the computer application or protocol being used to transmit the material.
By not analysing the material or application, the need to maintain a list or signature of known copyright material is eliminated.
By not analysing the material or application, the need to delay the transmission of the material between two nodes so that the analysis can take place, is eliminated.
The invention enables the detection and blocking of copyright material on encrypted networks, where detection of the protoco' and materia' would be impossible.
Preferab'y, each deployment of the invention communicates with every other previous deployment of the invention, passing information about local'y observed communication of copyright material. This significantly increases the accuracy of the invention, since each dep'oyment adds to the global knowledge of the system.
Detailed Description
Use Figure 1.
For the purposes of this description, a node" is defined as any device which is capable of communicating with other devices across a data network. Such "nodes" can simply be Personal Computers, mobile phones, servers, or other data-capable devices. There are many forms of data networks, such as Mobile networks, telecommunications networks, and indeed the internet as a whole. The invention can be applied to all forms of data network communication.
The invention is placed at convenient points within a network. The location of the invention is chosen to maximise the visibility of the communication flows between nodes. The probe's primary function is monitor node-to-node communication and the number of bytes passed between those nodes (a byte being a well understood computer term representing eight bits of binary computer data). The secondary purpose of the invention is to (optionally) disrupt this communication between nodes.
Figure 1 shows eight network nodes (1, 2,3,4,5,6,7,8). Communication flows exist between some of these nodes (9), and the inventions (10, Il) are placed at convenient points in the network to analyse selected flows.
For each communication node the invention observes, the invention requests of a central control unit (12), a value of probability that the node contains copyright protected material. The central control unit returns the probability to the invention.
The invention then looks at the communication flows between nodes. For each communication flow it observes, it calculates a probability that copyrighted material is being transmitted. This probability calculation is based on several factors, in a variably weighted combination; these include but are not limited to: I The probabilities (as communicated by the central control unit) of the nodes communicating with the node in question.
2. The amount of data transferred between the communicating nodes.
3. Other network specific information, which can be deduced about the nodes, from their addressing information. Such as it may be possible to determine if the two nodes communicating are fixed nodes with a permanent network connection (such as a web site), or nodes with temporary network connections (such as a personal computers, mobile phone etc) The invention periodically sends a message back to the central control unit, containing the calculated probability. The central control unit collates these messages from all of the deployed instances of the invention and uses them in part to recalculate the probabilities of nodes contains copyright material.
In addition to this feedback loop, other methods are used to increase or decrease the probability that a node is holding copyright material. These include but are not limited to: 1. Preferably by Seeding: A honey pot is a well understood term, and refers to a node on the network which advertises and seeks to upload copyright material from the network. By uploading material to other nodes, and downloading material from nodes, a profile of copyright infringing nodes is deduced, which is fed into the feedback loop.
2. By analysing the data: By downloading data from a node, and comparing that to a list of known pieces of copyright data. Although such techniques are traditionally slow, the invention enhances the use of slow detection techniques because these can be done slowly in the background to increase the accuracy of the detection and this does not delay the transmission of data through the invention. The invention can use the results of the slow analysis to enhance its accuracy.
3. The node having a permanent connection to the network decreases the probability of copyright material. Such permanent connections are typically used by Web Sites on the internet, and generally do not distribute copyright material. Conversely by a node having a network address within a range typically assigned for dynamic users, typically is not used by Web Sites and other common fixtures on the internet.
Such nodes have a greater probability of being involved in the transmission of copyright data.
4. Along with the "copyright probability" values for each node, there is also a time to live (TTL) of that probability. For a dynamically addressed node this is a lower value than a permanently connected node. The probability of each node decays to a neutral value, if no information for that node is received, over a period of time. For nodes with a higher TTL, this decay to neutral takes a longer period of time.
The probability communicated to the detector by the central database, can be used by the detector, to optionally block communication to nodes that have a likelihood of containing copyright material above a given threshold.
The threshold is configurable so that the network administrator can set the desired level of protection.
The primary intention of the invention is to detect (and optionally block) the distribution of copyright material. The method described can also be used to detect the distribution of other types of illegal material, such as but not limited to, computer viruses, illegal images and illegal emails.
GB0900192A 2009-01-08 2009-01-08 Monitoring behaviour in a network to determine chance that communication is undesirable Withdrawn GB2466922A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0900192A GB2466922A (en) 2009-01-08 2009-01-08 Monitoring behaviour in a network to determine chance that communication is undesirable

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0900192A GB2466922A (en) 2009-01-08 2009-01-08 Monitoring behaviour in a network to determine chance that communication is undesirable

Publications (2)

Publication Number Publication Date
GB0900192D0 GB0900192D0 (en) 2009-02-11
GB2466922A true GB2466922A (en) 2010-07-14

Family

ID=40379260

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0900192A Withdrawn GB2466922A (en) 2009-01-08 2009-01-08 Monitoring behaviour in a network to determine chance that communication is undesirable

Country Status (1)

Country Link
GB (1) GB2466922A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110185423A1 (en) * 2010-01-27 2011-07-28 Mcafee, Inc. Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation
US8474039B2 (en) 2010-01-27 2013-06-25 Mcafee, Inc. System and method for proactive detection and repair of malware memory infection via a remote memory reputation system
US8955131B2 (en) 2010-01-27 2015-02-10 Mcafee Inc. Method and system for proactive detection of malicious shared libraries via a remote reputation system
US9147071B2 (en) 2010-07-20 2015-09-29 Mcafee, Inc. System and method for proactive detection of malware device drivers via kernel forensic behavioral monitoring and a back-end reputation system
US9536089B2 (en) 2010-09-02 2017-01-03 Mcafee, Inc. Atomic detection and repair of kernel memory

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050262556A1 (en) * 2004-05-07 2005-11-24 Nicolas Waisman Methods and apparatus for computer network security using intrusion detection and prevention
US20050278542A1 (en) * 2004-06-14 2005-12-15 Greg Pierson Network security and fraud detection system and method
US20070214151A1 (en) * 2005-11-28 2007-09-13 Threatmetrix Pty Ltd Method and System for Processing a Stream of Information From a Computer Network Using Node Based Reputation Characteristics

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050262556A1 (en) * 2004-05-07 2005-11-24 Nicolas Waisman Methods and apparatus for computer network security using intrusion detection and prevention
US20050278542A1 (en) * 2004-06-14 2005-12-15 Greg Pierson Network security and fraud detection system and method
US20070214151A1 (en) * 2005-11-28 2007-09-13 Threatmetrix Pty Ltd Method and System for Processing a Stream of Information From a Computer Network Using Node Based Reputation Characteristics

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110185423A1 (en) * 2010-01-27 2011-07-28 Mcafee, Inc. Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation
US8474039B2 (en) 2010-01-27 2013-06-25 Mcafee, Inc. System and method for proactive detection and repair of malware memory infection via a remote memory reputation system
US8819826B2 (en) * 2010-01-27 2014-08-26 Mcafee, Inc. Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation
US8955131B2 (en) 2010-01-27 2015-02-10 Mcafee Inc. Method and system for proactive detection of malicious shared libraries via a remote reputation system
US9479530B2 (en) 2010-01-27 2016-10-25 Mcafee, Inc. Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation
US9769200B2 (en) 2010-01-27 2017-09-19 Mcafee, Inc. Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation
US9886579B2 (en) 2010-01-27 2018-02-06 Mcafee, Llc Method and system for proactive detection of malicious shared libraries via a remote reputation system
US10740463B2 (en) 2010-01-27 2020-08-11 Mcafee, Llc Method and system for proactive detection of malicious shared libraries via a remote reputation system
US9147071B2 (en) 2010-07-20 2015-09-29 Mcafee, Inc. System and method for proactive detection of malware device drivers via kernel forensic behavioral monitoring and a back-end reputation system
US9536089B2 (en) 2010-09-02 2017-01-03 Mcafee, Inc. Atomic detection and repair of kernel memory
US9703957B2 (en) 2010-09-02 2017-07-11 Mcafee, Inc. Atomic detection and repair of kernel memory

Also Published As

Publication number Publication date
GB0900192D0 (en) 2009-02-11

Similar Documents

Publication Publication Date Title
Li et al. An overview of anonymity technology usage
Isdal et al. Privacy-preserving p2p data sharing with oneswarm
Zhang et al. Unreeling Xunlei Kankan: Understanding hybrid CDN-P2P video-on-demand streaming
US11201880B2 (en) Network attack tainting and tracking
US9641546B1 (en) Electronic device for aggregation, correlation and consolidation of analysis attributes
El Defrawy et al. BotTorrent: Misusing BitTorrent to Launch DDoS Attacks.
Piatek et al. Challenges and directions for monitoring P2P file sharing networks, or, why my printer received a DMCA takedown notice
Bushart et al. DNS unchained: Amplified application-layer DoS attacks against DNS authoritatives
Benson et al. Leveraging internet background radiation for opportunistic network analysis
GB2466922A (en) Monitoring behaviour in a network to determine chance that communication is undesirable
Timpanaro et al. A bird’s eye view on the I2P anonymous file-sharing environment
KR101600302B1 (en) Method of security using cloud multi-vaccine and apparatus thereof
US20120047248A1 (en) Method and System for Monitoring Flows in Network Traffic
CN100591042C (en) Semi-distributed P2P network traffic management method, system and equipment
Elahi et al. CORDON–a taxonomy of internet censorship resistance strategies
Wilson et al. Forensic analysis of I2P activities
Hsu et al. Detecting Web‐Based Botnets Using Bot Communication Traffic Features
Umayya et al. PTPerf: On the performance evaluation of Tor pluggable transports
Katiyar et al. Detection and discrimination of DDoS attacks from flash crowd using entropy variations
MEHDI Interception of P2P Traffic in a Campus Network.
Yan et al. AntBot: Anti-pollution peer-to-peer botnets
Steggink et al. Detection of peer-to-peer botnets
Fung et al. Smurfen: A system framework for rule sharing collaborative intrusion detection
Petrocco et al. Hiding user content interest while preserving P2P performance
Gardiner et al. Blindspot: Indistinguishable anonymous communications

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)