WO2000007312A1 - System for intrusion detection and vulnerability analysis in a telecommunications signaling network - Google Patents
System for intrusion detection and vulnerability analysis in a telecommunications signaling network Download PDFInfo
- Publication number
- WO2000007312A1 WO2000007312A1 PCT/US1999/017408 US9917408W WO0007312A1 WO 2000007312 A1 WO2000007312 A1 WO 2000007312A1 US 9917408 W US9917408 W US 9917408W WO 0007312 A1 WO0007312 A1 WO 0007312A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- message
- messages
- signaling network
- intrusion
- telecommunications signaling
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q3/00—Selecting arrangements
- H04Q3/0016—Arrangements providing connection between exchanges
- H04Q3/0025—Provisions for signalling
Definitions
- the present invention relates to a system and method for detecting intrusion into, and for assessing the vulnerability of, a telecommunications signaling network.
- Telecommunications signaling networks are susceptible to intrusion, meaning that a person may use software or physical means to cause disruption or denial of service within the network.
- a person may use software operating on a computer in an attempt to seize control of a particular node or link in the network and consequently cause a disruption or denial of service.
- a person may attempt to take physical control of an entity in the network, such as a link, resulting in a disruption or denial of service.
- intrusions create an undesirable situation for communications service providers and for customers using the network.
- the disruptions or denials of service may inconvenience customers and potentially cause a loss in revenue for the communications service provider.
- a service provider may attempt to locate the disruption and determine a cause of the intrusion.
- the service provider only obtains an indication of the intrusion after it has already caused a disruption and thus cannot anticipate such an intrusion before it occurs.
- the server provider may not necessarily know in advance which portions of the network are most susceptible to an intrusion and thus not know how to best monitor the network for potential intrusions.
- FIG. 1 is a diagram of an exemplary telecommunications signaling network and associated machine for monitoring the network
- FIG. 2 is a diagram of software modules operating on the machine shown in FIG. 1 for implementing an embodiment consistent with the present invention
- FIG. 3 is a flow chart of an exemplary process for monitoring a telecommunications signaling network for intrusion detection
- FIG. 4 is a flow chart of an exemplary process for determining vulnerability of a telecommunications signaling network to potential intrusion
- FIG. 5 is an exemplary user interface for entering set-up information for an intrusion detection process
- FIG. 6 is an exemplary user interface for displaying status information related to an intrusion detection process
- FIG. 7 is an exemplary user interface for displaying information related to a vulnerability analysis of a telecommunications signaling network.
- Apparatus and methods consistent with the present invention provide indications of attempted intrusions in a telecommunications signaling network and the vulnerability of particular elements in the network to attempted intrusions.
- An apparatus consistent with the present invention receives messages related to communications in a telecommunications signaling network. The apparatus applies intrusion rules to the messages in order to order to detect anomalies in the messages, and it reports an indication of the detected anomalies.
- Another apparatus consistent with the present invention receives rankings for particular parameters related to elements of a telecommunications signaling network.
- the apparatus applies vulnerability rules to the rankings in order to determine a likelihood of an attempted intrusion into the corresponding elements of the telecommunications signaling network, and it reports an indication of the likelihood of the attempted intrusions.
- a method consistent with the present invention includes receiving messages related to communications in a telecommunications signaling network. Intrusion rules are applied to the messages in order to order to detect anomalies in the messages, and an indication of the detected anomalies is reported.
- Another method consistent with the present invention includes receiving rankings for particular parameters related to elements of a telecommunications signaling network. Vulnerability rules are applied to the rankings in order to determine a likelihood of an attempted intrusion into the corresponding elements of the telecommunications signaling network, and an indication of the likelihood of the attempted intrusions is reported.
- Apparatus and method consistent with the present invention provide indications of attempted intrusions in a telecommunications signaling network and the vulnerability of particular elements in the network to attempted intrusions.
- intrusion detection and vulnerability analysis are typically a separate entity, and the operation of one is not necessarily dependent on the other.
- Attempted intrusions refers to attempts to disrupt or deny service in the network or to otherwise tamper with the network.
- Intrusion rules are applied to received messages in the network, typically in real-time and using a known protocol for the network, in order to detect anomalies tending to indicate an attempted intrusion.
- Messages refers to any particular data element transmitted in the network.
- standard telecommunications signaling networks use messages in order to provide particular telephone-related services to customers.
- Intrusion rules refers to any criteria or methodology for detecting the anomalies.
- Indications of the attempted intrusions may be presented, for example, in a user interface that includes a topological representation of a monitored portion of the network.
- vulnerability rules are applied to rankings of particular parameters relating to elements in the network.
- Vulnerability rules refers to any criteria or methodology for processing the rankings to provide indications of likelihood of attempted intrusions with respect to particular elements in the network.
- Rankings refers to any information providing an indication of susceptibility of a particular network element to an attempted intrusion relative to one or more other network elements.
- a user interface may be presented in order to receive the rankings and to display indications of the vulnerability of elements in the network.
- FIG. 1 depicts a data processing system 100 suitable for practicing methods and systems consistent with the present invention.
- Data processing system 100 includes a machine 101 for intrusion detection and vulnerability analysis, connected to a network 107 such as a private or public telecommunications signaling network.
- Machine 101 includes a memory 102, a secondary storage device 104, a processor 105 such as a central processing unit, an input device 106, and a display device 103.
- Memory 102 and secondary storage 104 may store applications and data for execution and use by processor 105.
- Input device 106 may be used to enter information and commands into machine 101, and display device 103 provides a visual of information in machine 101.
- machine 101 is depicted with various components, one skilled in the art will appreciate that this computer can contain additional or different components. Additionally, although machine 101 is shown connected to network 107, machine 101 may be connected to other networks, including other wide area networks or local area networks. Furthermore, although aspects of the present invention are described as being stored in memory, one skilled in the art will appreciate that these aspects can also be stored on or read from other types of computer program products or computer-readable media, such as secondary storage devices, including hard disks, floppy disks, or CD-ROM; a carrier wave from the Internet; or other forms of RAM or ROM. In addition, the computer-readable media may include instructions for controlling a computer system, such as machine 101, to perform a particular method.
- FIG. 2 is a diagram of software modules operating on the machine shown in FIG. 1 for implementing an embodiment consistent with the present invention. These modules include modules 200 for intrusion detection and modules 201 for vulnerability analysis of a network 202.
- Network 202 is a standard Signaling
- SS7 protocol network and illustrates an example of network 107.
- Other examples of network 107 include an integrated Services Digital Network (ISDN) and an X.25 network.
- a monitoring analyzer module 204 receives real-time data 203 from network 202.
- Real-time data 203 may include messages transmitted in an SS7 protocol network or other type of network.
- Monitoring analyzer 204 packages the data for analysis and forwards it in real-time to a data collector process module 205.
- Data collector process module 205 parses the received data to remove information from the messages not necessary for intrusion analysis, and it reformats the parsed messages to a consistent format to facilitate intrusion analysis.
- Data collector process module 205 alternatively may receive preformatted SS7 protocol messages 214 from a test file 208 for use in testing or verifying the intrusion detection capabilities of the system.
- An intrusion detection process module 206 receives the reformatted messages and performs processing of the messages to detect intrusion. In particular, it applies intrusion detection rules to the messages in order to detect anomalies in the messages or other events tending to indicate an attempt at intrusion into the network or to otherwise tamper with the network. These rules may be stored in memory or in a database such as memory 102 or secondary storage 104, or they may be implemented in hard-wired logic.
- intrusion detection process 206 After or during performance of the intrusion detection processing, intrusion detection process 206 outputs the results to an intrusion log 209 that maintains a time-stamped history of the processing in the form of a textual listing, and it outputs the results to a display management process module 207.
- the textual listing may be printed in hard copy form using a printer connected to machine 101 or may be displayed on display device 103.
- Display management process module 207 formats the processed data for display within a topology status display 210, which may be displayed by display device 103.
- Topology status display 210 provides a visual indication of the status of the monitored network and indications of intrusions into the network, and an example of a user interface for the topology status display is described below.
- a topology database 215 stores information representing a topology or interconnectivity of network 202.
- Intrusion detection process module 206 and display management process module 207 may access database 215 in order to retrieve the topology information and use it in the processing performed by those modules.
- topology database 215 may store the rules used by intrusion detection process module 206.
- Topology database 215 may correspond to secondary storage 104, and it may be implemented, for example, with a Sybase database.
- Vulnerability analyzer modules 201 include a vulnerability analysis process module 212 and a display management process module 21 1.
- Vulnerability analysis process module 212 receives the network topology information from topology database 215, and it applies vulnerability rules to the topology information in order to determine the vulnerability of elements in network 202 to intrusion attempts. Examples of these rules are provided in the Appendices.
- Vulnerability analysis process module 212 outputs the results of its analysis to a vulnerability log 213, which maintains a time-stamped textual history of the processing in the form of a textual listing, and it also outputs the results to a display management process module 21 1.
- the textual listing may be printed in hard copy form using a printer connected to machine 101 or may be displayed on display device 103.
- Display management process module 21 1 operates in a similar manner as module 207. In particular, it receives output results from module 212 and formats the received data for presentation in a user interface by display device 103. An example of a user interface for presenting the vulnerability process data is described below.
- FIG. 3 is a flow chart of an exemplary process 300 for monitoring a telecommunications signaling network for intrusion detection.
- Process 300 may be implemented on machine 100 operating under control of intrusion detector modules 200 and module 204.
- the system receives communication messages from the network such as SS7 messages provided by monitoring analyzer module 204 from network 202 (step 301).
- the system parses and formats the messages using data collector process module 205 (step 302).
- Intrusion rules are applied by intrusion detection process module 206 to the formatted messages to detect anomalies or other events in the network tending to indicate an attempted intrusion (step 303).
- the results are reported and potentially displayed by display device 103, using intrusion log 209 or topology status display 210, to provide a visual indication of attempted intrusions into network 202 an potentially the status of the network (step 304).
- FIG. 4 is a flow chart of an exemplary process 400 for determining vulnerability of a telecommunications signaling network to potential intrusions.
- Process 400 may be implemented on machine 100 operating under control of vulnerability analyzer modules 201.
- Process 400 operates by using static rankings processed as input weightings according to particular rules to generate further rankings. The process may be performed iteratively such that the output from one particular processing rule may be input as a ranking to another rule.
- the boxes in process 400 represent static rankings for particular parameters related to the network, and the circles represent vulnerability rules for processing the rankings. Examples of these vulnerability rules are provided in the Appendices.
- parameters providing rankings as particular weightings for processing by vulnerability rules include the following: a percent utilization 401, a number of links 402, a percent traffic external 403, a monitoring 404, a screening 405, a media type 406, a transmission provider 407, a services 41 1, a user service rank 413, a connectivity by service 414, a node occupancy by service 416, and a user SSP ranking 418.
- a percent utilization 401 a percent utilization 401
- a number of links 402 a percent traffic external 403, a monitoring 404, a screening 405, a media type 406, a transmission provider 407, a services 41 1, a user service rank 413, a connectivity by service 414, a node occupancy by service 416, and a user SSP ranking 418.
- a functional capacity rank rule 408 receives inputs from parameters 401 -404 and produces a result according to the function of rule 408.
- a security rank rule 409 receives inputs from parameters 404 and 405 and produces a result according to the function of the 409.
- a physical access rank rule 410 receives inputs from parameters 406 and 407 and produces a result according to the function of rule 410.
- a functional services rank rule 412 receives as input parameters 41 1 and 404, as well as the output from rule 409, and produces a result according to the function of rule 412. The process continues iteratively as an inherent link ranks rule 420 receives the outputs from rules 408, 409, 410, and 412, and produces a result according to the function of rule 420.
- Rule 420 provides one input to a most critical links rule 422. The following provides the other input to most critical links rule 422.
- An SCP criticality rule 415 receives as inputs parameters 413, 414, and 416, and it produces a result according to the function of rule 415.
- An STP criticality rule 417 receives as inputs parameters 414 and 416, and the output of rule 415, and it produces a result according to the function of rule 417.
- An SSP criticality rule 419 receives as inputs parameters 414, 416, and 418, and it produces a result according to the function of rule 419.
- a most critical nodes rule 421 receives the outputs from rules 417 and 419, and it provides the other input to most critical links rule 422. Therefore, as a result of this iterative process, the result of rule 422 provides an indication of the most vulnerable link in the network, and the result of rule 421 provides an indication of the most vulnerable node in the network, the phrase "most vulnerable" meaning that it is the element most likely to be susceptible to an attempted intrusion.
- FIG. 5 is an exemplary user interface 500 for use in entering set-up information for an intrusion detection process such as process 300.
- User interface 500 may be displayed on display device 103.
- User interface 500 includes a first section 501 used to receive threshold values for detection of intrusion, a second section 502 used to identify a point in the network from which the intrusion detection process receives data, and a third section 503 used to save and retrieve set- up information so that a user need not repeatedly enter the same set-up information.
- a user may enter relevant information into sections 501 and 502 using input device 106, and section 502 identifies where data 203 originates in network 202 and thus provides a reference point for performing an intrusion detection process.
- FIG. 6 is an exemplary user interface 600 for displaying status information related to intrusion detection such as information produced by process 300.
- User interface 600 may be displayed on display device 103.
- User interface 600 includes a main section 601 for displaying a topological representation of a portion of the network and including information indicative of various conditions in the network. These conditions may provide an indication of attempted intrusions in the network.
- a displayed node 602 corresponds to the node identified in section 502 of user interface 500, and node 602 represents the node from which the system receives data.
- Other displayed nodes 603 and 604 represent nodes located one link away from node 602 in the monitored network.
- Each of the displayed nodes includes associated point codes and link information, displayed adjacent the corresponding node.
- Section 601 also displays lines between the nodes, and the lines represent the corresponding links.
- the system When a user selects a particular displayed node the system displays a section 605 for presenting node information relating to the selected node.
- the node information may include a ranking determined by a vulnerability analysis.
- the system displays a section 606 for presenting static information relating to the selected link, including link attributes, an anomaly history, and a linkset selection label.
- the anomaly history may correspond to history log 209.
- the user may select a particular node or link by, for example, using a cursor-control device to "click on" the particular node or link.
- the system may optionally present the links in different colors to provide indications of varying conditions. For example, it may present the links using the following colors: green for a normal condition; yellow for a minor condition; orange for a major condition; red for a critical condition; and gray to indicate that the link is not monitored.
- the various conditions may be determined by the detected anomalies from module 206 and particular predefined thresholds, which are further explained in the Appendices.
- FIG. 7 is an exemplary user interface 700 for displaying information related to a vulnerability analysis such as process 400.
- User interface 700 may be displayed on display device 103.
- User interface 700 includes various sections in which a user may enter rankings for use by the rules in process 400. For example, it includes a section 701 to receive values for a services ranking and a section 702 to receives values for an SSP ranking.
- a user may select an appropriate tab 703 on a menu bar to view the corresponding section 701 and 702.
- User interface 700 may include additional tabs 703 and sections for receiving information concerning other rankings.
- Appendix A includes a system overview for an exemplary intrusion detection process and vulnerability analysis
- Appendix B includes a software user's manual for an exemplary intrusion detection process and vulnerability analysis
- Appendix C includes a software design document for an exemplary intrusion detection process and vulnerability analysis
- Appendix D includes a description of exemplary vulnerability analysis attributes and algorithm, including vulnerability rules
- Appendix E includes a description of exemplary intrusion detection algorithms including intrusion rules.
- GUI Graphical User Interface
- FIGURE 2 DATA COLLECTOR PATH 7
- FIGURE 3 VULNERABILITY ANALYSIS LOGIC FLOW 9
- FIGURE 4-4 VULNERABILITY ANALYZER CONTEXT DIAGRAM 10
- FIGURE 5-5 - NETWORK TOPOLOGY DATABASE DOMAIN DIAGRAM 12
- SS7 Signaling System 7
- PSTN Public Switched Telephone Network
- An attack on the SS7 network can actually be accomplished through the manipulation and exploitation of the SS7 message protocol itself by means of message insertion onto the network signaling links.
- the SS7 network is inherently vulnerable to such attacks for two (of several ) reasons the SS7 protocol does not include Security and SS7 was built for robustness and thus, is very forgiving t o anomalous states
- the System includes two tools an SS7 Intrusion Detection Tool and a Vulnerability Analysis Tool
- the operational concept is that the intrusions would be well organized with the intent of service disrup t ion service denial through insertion of SS7 messages into the SS7 message traffic stream Due to the equal access' provision of the 1996 Telecommunicanons Reform Act, concern within the PSTN indus t rv has increased over the fear of new and unknown earners entering the market. These unknown entities pose a new threat to the SS7 network since they can demand full interconnection capabilities into the exis t ing SS7 network while providing only limited visibility into their operations. Hence a modestly funded operator could gam full access the SS7 network for illicit purposes.
- the purpose of the System SS7 Network Vulnerability Analysis Tool is to allow the user to determine which network elements in the SS7 Network are most vulnerable to an SS7 Message Insertion attack designed for Service Disrupnon/ Denial As the analysis relates to Intrusion Detection, the results are used to indicate where Intrusion Detection resources should be applied in the Network based on the evaluated preferences supplied by the operator
- the Vulnerability Analysis Tool uses an SS7 Network Topology daubase which contains a set of attributes describing all of the SS7 Network Elements (links and nodes) These Network Element attributes are evaluated against a set of attribute weighting factors and against formulas relating combinations of attributes. The user has the ability to modify attribute weightings to tailor the analysis for specific preferences.
- the real-time SS7 Intrusion Detection Tool provides SS7 link monitoring and analysis of SS7 message traffic for anomalous events which indicate possible intrusion mto the message stream.
- the Intrusion Detecnon algo ⁇ thms apply rules based logic and event thresholding against the message traffic stream.
- the logic evaluates message sequence and timing irregula ⁇ nes, inconsistent parameter values, and exceeded thresholds of message type occurrences
- the User Interface includes of a Network Topology display of the monitored network nodes and corresponding signaling linksets.
- the linkset status is indicated to the user by coloring the link icons corresponding to the seventy of the detected anomaly
- the detected anomaly text is displayed to the user in an Alarm Status wmdow APPENDIX A
- ISUP ISDN User Part
- the current SS7 message is finally stored, to be used in t he next anomaly test
- GUI Graphical User Interface
- the GUI is the mechanism used to allow the system operator to configure the system, start and stop operations and provides the message analysis results on a topological status display
- the design reflects a network management type display to the user
- a nerwork topology display depicts the network elements (m this case SS7 nodes and links).
- the GUI Upon initialization of this process, the GUI ret ⁇ eves configuration and network topology mformanon from the corresponding databases to construct a view of the local SS7 network infrastructure (nodes, signal links, etc ), relative to the link being monitored.
- This view is used to communicate to the operator the current state of each link of that local network All direct links, to the link being monitored, are represented by a dashed line The link being monitored is represented by a solid line to differennate itself
- the Intrusion Detector accepts the following information from the GUI message queue for configuration and control a) START operation b) STOP operation c) PAUSE operation d) Send Status Statistic data e) Threshold and parameter values for algo ⁇ thms
- a message is sent to the GUI mput queue for display
- the message will indicate the following information about the anomaly a) the SS7 message (protocol analyzer output format) b) a time stamp generated by the Data Collector c) the rule(s) fired that caused the anomaly repo ⁇ d) the link affected and the color code indicating the anomaly ranking (GREEN. YELLOW. ORANGE or RED) as displayed to the operator
- the Data Collector accepts SS7 message data from both a protocol analyzer and a test file source It is a real-time operation, which is comp ⁇ sed of thee primary funcnons: the Message Parser, the input stream multiplexer and the output message queue.
- This subsystem is minimal, however, partitioning of the collection functionality enables the possibility of porting it to another processor, if the performance is required. Also, it isolates the impact to the other subsystems if there are hardware changes to the front-end collec ⁇ on method (e g., change of protocol analyzer).
- the Data Collector can manage inputs from a live message stream from a protocol analyzer source, or from a test file, or both.
- the Message Parser is invoked to reformat the SS7 data into a condensed format needed by the Intrusion Detector process.
- live data is combmed with test file data
- the test file data must be multiplexed into the hve data stream. This combined mode is useful smce it allows injecnon of test SS7 mtrusion messages against a background of live nommal SS7 messages. In this manner, the Intrusion Detector can be tested against real message traffic (and message traffic volume) and still be able to test specific mtrusion strig ⁇ os without the need to inject anomalies onto the actual network.
- the protocol anaiyzer uses an IXET Turbo- with an MSU Forwarding option.
- the MSU Forwarding feature provides TCP P forwarding capability of the collected SS7 Message Signal Units (MSUs).
- the Turbo-7 protocol analyzer outputs the SS7 as received in time sequence from all of the monitored SS" links. Each message has a header including of the port and timestamp followed by the raw SS7 message
- the Turbo-" outmessage format is shown in the Software User's Manual.
- the Message Parser operates as a go-between from the protocol analyzer and the Intrusion Detector process.
- the input from the protocol analyzer is received over a TCP/IP socket interface.
- Each message is analyzed and reformatted by message type, retaining only those parameters required by the Intrusion Detector process. If addinonaJ message types and/or message parameters are desired or if different message ;ollecnon hardware is used, the Message Parser can be modified without impact to follow on processes.
- test files allow the Intrusion detector to run in a testing / sunulanon configuration when it is not desired or when it s impractical to have a live nerwork connection.
- the test file is simply a concatenated set of SS 7 messages ui the data format output by the Message Parser.
- the messages can represent data from any protocol analyzer po ⁇ with any values desired in the data fields. Therefore, test files can be set up to emulate normal SS7 network traffic on a variety of signaling links with embedded anomalies.
- test files use data formats output by the Message Parser, there is one distmc ⁇ on: the timestamp field.
- the test file ⁇ mestamp field represents a time delay vice an absolute time. This conven ⁇ on was established ui order to accommodate both a real time aspect to the test data timing and to facilitate test file message injecnon into the live data stream.
- Test file formats are desc ⁇ bed in the Input MSU Test File secnon of the Software User's Manual. APPENDIX A SYSTEM OVERVIEW
- the Nerwork Topology Database provides the intrusion detection algo ⁇ thms with the required relevant infrastructure data of the SS7 network.
- the network topology mformation and its format, is desc ⁇ bed in the Software User's Manual
- the topology data is used by the Intrusion Detector to perform several types of legitimacy checks of the message point codes Basically, checks are made to ensure that the messages are o ⁇ ginating from legitimate locations and are ar ⁇ ving over the proper routes These checks are based on message type
- the primary responsibility of the Vulnerability Analyzer is to evaluate an SS7 infrastructure data and determine the locations most vulnerable to SS7 nerwork mtrusion. The goal was to produce a tool that evaluated the nerwork vulnerability in the same manner as a network analyst evaluates the network To demonstrate the ability to evaluate different operational p ⁇ o ⁇ ties, the user is able to designate certain evaluation parameters
- the analyzer retrieves network topology mformation from the database. These Network Element attributes are evaluated against a set of attnbute weighting factors and against formulas relatmg combmations of attributes. The attributes are stored in the topology database whereas the rankings are stored in a configuration file (Refer to the Software Users Manual for desc ⁇ ptions.)
- the user has the ability to modify attribute rankings to tailor the analysis for specific evaluation preferences such as:
- a N Advanced Intelligent Network
- POTS Plain Old Telephone Service
- the evaluation formulas have been implemented within the software. Below is an outline of the analysis logic that is performed. Every attribute of every node and link within the network is evaluated. A base score of each node and link is established and is subsequently modified at each stage of the evaluation T e influence to the vulnerability score of each attribute is determined by the value of the attribute and on the importance ranking of that attribute. The rankings act as a weighting applied to the attribute value within the formula and control how much of a modifier of the attnbute to the overall vulnerability score. As each node and link is evaluated, combmations of attnbutes are also evaluated and ranked.
- the cnte ⁇ a for determining most c ⁇ tical node is that which attains a score of 10 or above. If more than one node is identified as exceeding a score of 10 than each node is listed with the corresponding list of vulnerable links to that node. (This is due to determinmg the number of hops to the c ⁇ tical node from each link) O
- the nodes are p ⁇ ma ⁇ ly evaluated to determme their c ⁇ cality to the overall nerwork operanons and thus desirability to attack
- each STP pair is evaluated based on the number of SSPs directly connected to the STP and the volume of the SS7 traffic routed through the STPs
- node c ⁇ cality becomes a func ⁇ on of not only the number and traffic from directly connected SSPs but also the number of SSPs indirectly connected that also gam access to the AIN service through the STP
- the overall evalua ⁇ on of the links is in effo ⁇ to assess the inherent vulnerability to inserting messages onto the links to gam access to the c ⁇ ncal nodes
- the links are also evaluated on the c ⁇ cality attnbutes related to traffic load and by service Therefore, the user service rankings also influence the link vulnerability
- This func ⁇ onal capacity ranking is used throughout the evaluanon to modify the other APPENDIX A SYSTEM OVERVIEW i nheren t vulnerab i hty attr i bute scores At the end of the inherent link vulnerab.l. tv , n , ⁇ . .
- the ma j or i ty of t he l i nk at t ributes relate to inherent vulnerabilities of the l i nks to SS7 m « « a i med at affect i ng the c ⁇ ncal nodes.
- Some examples are listed below ⁇ mSertl0nS
- the Vulnerability Analyzer accepts t he followmg l nforma ⁇ on from the GUI message queue for con iguranon and control: a) START opera ⁇ on b) STOP opera ⁇ on c) PAUSE operanon 00/07312
- the textual results file is displayed to the user in a scrollable window
- the POTS case lists the cn ⁇ cal node(s) followed by the most vulnerable links to that node
- the AIN case also indicates the Most C ⁇ ncal SCP
- the Network Topology Database provides the Vulnerability Analyzer algo ⁇ thms with the required relevant infrastructure data of the SS7 network.
- the Vulnerability Analyzer requires many add onal attnbutes assigned to the nodes and links.
- Routmg in the GTE network for local STPs to regional STPs changes dependmg on the AIN service being accessed This data had to be de ⁇ ved from drawmgs of the network topology and requu-ed manual analysis and database algo ⁇ thm ⁇ to de ⁇ ve the proper link routes.
- the Network Topology Database is the persistent storage for the GTE SS7 network infrastructure. It contains all the nodal and link mformanon requu-ed to implement both the Intrusion Detector and the Vulnerability Analyzer processes.
- the database In response to a client process, the database provides the means, first, of determinmg the data set being requested by the client, and second, to send the data set to the proper process input message queue.
- the GUI and the Intrusion Detector will use the same mformanon set from the database.
- the GUI extracts the mformanon needed to construct the operator's view of the local SS7 network, used to display the realtime conclusions of the Intrusion Detector.
- the Intrusion Detector uses the link-node rela ⁇ onships to accomplish its algo ⁇ thms (e.g., determme nearest neighbor, etc.).
- the Vulnerability Analyzer requires a different lnforma ⁇ on set from the of the Intrusion Detector. It's requirements clude not only link-node rela ⁇ onships, but also, link media type, mode supplier, SS7 services provided and so on.
- FIGURE 6- 1 VULNERABILITY ANALYSIS TOP LEVEL GUI 20
- the System Network and Signal Infrastructure Vulnerability Analysis and Intrusion Detection System (hereafter referred to as the system) is a software application capable of providing real-time protection to the U S telecommunications Signaling System No 7 (SS7) infrastructure
- the goal of the system is to perform the following a) Determine the vulnerability of the SS7 network based on its topology and identify the nerwork elements most vulnerable to intrusion b) Detect intrusions to SS7 links being monitored c) Provide a User Interface for operator control and status display in support of the above processes
- the system uses a Sun Microsystems s SPARC-20 platform, running the Solans 2 5 operating system
- This Software Users Manual desc ⁇ bes the procedures required for using the System prototype
- This system software includes two (2) independent tools a) Intrusion Detector (including SS7 Monitoring, User Interface, and Anomaly Detection processes) b) Vulnerability Analyzer (User Interface, and Vulnerability Analysis processes)
- $(SYSTEMHOME)/conf ⁇ g defines the path of the System configuration subdirectory, in) setenv XENVIRONMENT $INTR_CONFIG/gu ⁇ .res, where
- $INTR_CONFIG/gui.res defines the configuranon file used for the X window environment. IV) setenv MOTTFHOlME /Opr/Mot ⁇ fl24/usr, where pathname defines the path of the
- This secnon descnbes the information and instructions necessary for user interacnon with the system Intrusion Detector. It gives the step-by-step procedures for executing the software and identifies the options available to the user.
- GUI Graphical User Interface
- the application provides the capability to save and retrieve both configuration and output log files via the GUI .APPENDIX B SOFTWARE USER'S MANUAL
- the application provides the capability to view and modify all adjustable parameters required by the intrusion detection algo ⁇ thms for maximum flexibility and expansion
- the followmg list desc ⁇ bes each of these GUI adjustable parameters
- the applicanon provides the capability to enter monitor po ⁇ nt(s) to which the protocol analyzer is connec t ed This data is used to define the local topology view displayed to the user.
- the monitor points are entered using the "View
- the applicanon provides the capability to sta ⁇ and stop processmg of the applicanon usmg the "Control S t a ⁇ ” and the "Control ⁇ Stop” GUT menu options, respecnvely
- the applicanon provides the capability to terminate execution of the application usmg the 'File Exit" menu option provided by the GUT
- the protocol analyzer selected for the system is the INET Turbo-7 protocol analyzer. Up to four (4) SS7 lmks can be monitored at one time by this device.
- the message format, shown m Table 5-2, is expected from the analyzer via the TCP IP po ⁇ .
- This secnon desc ⁇ bes the MSU formats used by the input test file.
- the test file injects the test MSU mto the real-time path for the purpose of diagnosncs.
- Table 5-3 details the different formats expected for the different SS7 MSU types.
- This secnon idennfies all error messages output by the system, the meaning of each error message, and the acnon to be taken when each message appears. These messages are displayed to the user via the GUI
- faults are logged by the each individual process into its correspondmg flat file. Each fault log can be enabled/disabled by ⁇ e system configuranon file previously loaded.
- This section desc ⁇ bes the mformation and instrucftons necessary for user interaction with the System Vulnerability Analyzer It gives the step-by-step procedures for executing the software and identifies the options available to the user
- This section desc ⁇ bes the ininalization and startup procedures necessary to execute the software To launch the Vulnerability Analyzer executable, type Vulnerability Analysis on the command line of your UNIX shell Upon startup of the System's Vulnerability Analyzer applicanon, the followmg events are performed a) The required environment va ⁇ ables are ret ⁇ eved from the system These va ⁇ ables are defined in section 4 b) The application ret ⁇ eves its default configuranon from the startup lninaliza ⁇ on file " ⁇ n ⁇ t_config vtiln" This file is stored in the directory SYSTEMHOME/config
- GUI Graphical User Interface
- the applicanon provides the capability to save and remeve both configuranon and analysis result files via the GUI under the File selecnon
- the Save selection allows the user to save the current analysis results to a user specified file name Also the user may select to save the current configuranon to a user specified file name for later retrieval
- the remeve selecnon allows the user to remeve an analysis results log or to remeve an existing configuranon file
- the File window appears.
- the user may then enter a filter selection and click on the Filter burton to narrow his selecnon, and click on a file name in the files secnon
- the selected file is displayed under Selecnon and the user chcks on OK to load the file in memory
- the user must select Remeve Analysis Note that the file is not editable via the GUI
- the parameters contained in the configuranon file are desc ⁇ bed in Table 6- 1
- the application provides the capability to view and modify the rankings of individual SSPs and services Refer to Figure 4 2 to see the format of the windows If the operator selects the SSP ranking then he must provide a SSP pomt code, and an integer ranking between one and ten inclusive.
- the SSP point code is of the format xxx-xxx-xxx.
- wnere x is an integer If the user selects the services rankings then a Services window pops up with the default POTS service selected If he changes the services selecnon to SCP Services, then he must supply an integer ranking between one and ten inclusive for each of the services identified in Table 6-2 Bv entering a high ranking for a service, the user is assigning a higher p ⁇ o ⁇ ty to the service for his analvsis
- the applicanon provides the user with the capability to start and stop processmg of the application usmg the "Control Stan” and the "Control
- the application provides the capability to terminate execution of the application using the "File Exit ' ' menu option provided by the GUI (sunilar to the Intrusion Detecnon).
- the topology database is the repository of mformanon related to the configuration and the individual characte ⁇ s ⁇ cs of each element of the GTE prop ⁇ etary SS7 network.
- HELP flat files are required by the application m support of the HELP opnon within the GUI These files must be installed at the path enclosed by the SYSTEMHELP environment va ⁇ able (similar to the Intrusion Detector)
- the required help files are APPENDIX B SOFTWARE USER'S MANUAL a) file_help - This is the flat file containing the help text for the "File” menu options b) serv ⁇ ces_help - This is the flat file containing the help text for the "Rankings , Services” menu option.
- vuln_mon ⁇ tor_help - This is the flat file containing the help text for the "Rankings SSP" menu op ⁇ on.
- vulnerabilit _hel ⁇ - This is the flat file containing the help text for the main Vulnerability
- the followmg secnons descnbe the expected outputs provided by the System Vulnerability Analyzer application.
- the Vulnerability Analysis results are output to a log file and then displayed to the operator in a scrollable window Both cn ⁇ cal nodes and the most vulnerable links for attacking the c ⁇ ncal nodes are recorded in the analysis ou ⁇ ut file and displayed to the user
- the c ⁇ cal nodes are displayed in a descending order based on the score Both the node c ⁇ ncality score and the link vulnerability score fall within the scale of one to ten inclusive
- the following informanon is displayed in the log- a) C ⁇ ncal SCP node point code and office name Note that the c ⁇ ncal SCP node is not applicable for POTS b) Number of c ⁇ ncal nodes.
- faults are logged by the Vulnerability Analysis process mto its co ⁇ esponding flat file with a default name of ulnerabiliry_analyzer_class.log.
- the fault log can be enabled or disabled by the system configuranon file previously loaded. Refer to Table 6-4 for a list of possible messages that may appear in the fault log
- FIGURE 3-2 SCENARIO DIAGRAM PASSING A MESSAGE EXAMPLE 7
- FIGURE 4-2 SYSTEM CLASS CATEGORY DIAGRAM 11
- FIGURE 4-3 CONTEXT DIAGRAM INTRUSION DETECTOR DISPLAY MANAGER 12
- FIGURE 4-5 - CLASS DIAGRAM DATA COLLECTOR 19
- FIGURE 4-6 SCENARJO DIAGRAM DATA COLLECTOR INITIALIZATION 20
- FIGLRE 4-7 CONTEXT DIAGRAM INTRUSION DETECTOR 21
- FIGURE 4-8 CONTEXT DIAGRAM VULNERABILITY ANALYSIS PROCESS DISPLAY MANAGER 23
- FIGURE 4-9 CONTEXT DIAGRAM VULNERABILITY ANALYSIS PROCESS 25
- FIGURE 4-10 - NETWORK TOPOLOGY DATABASE DOMAIN DIAGRAM 26
- the System Network and Signal Infrastructure Vulnerability Analysis and Intrusion Detection System (hereafter referred to as the system) is a software application capable of providing real-time protection to the U S telecommunications Signaling System No 7 (SS7) infrastructure
- the goal of the system is to perform the following- a) Determine the vulnerability of the SS7 network based on its topology and identify the network elements most vulnerable to intrusion, a) Detect intrusions to SS7 links bemg monitored a) Provide a User Interface for operator control and status display in support of the above processes
- the system uses a Sun Microsystems 's SPARC-20 platform, running the Solans 2 5 operating system
- This Design Desc ⁇ ption desc ⁇ bes the design for the system
- the system CSCIs is being modeled with the Object Modeling Technique (OMT) Object-O ⁇ ented Analysis/ Design methodology, usmg the Rational Rose/C++ Computer-aided Software Engineering (CASE) tools.
- ONT Object Modeling Technique
- This system software includes the followmg Computer Software Configuration Items (CSCIs): a) Intrusion Detector (including SS7 Monitoring, User Interface, Anomaly Detection process) a) Vulnerability Analyzer (User Interface, Vulnerability Analysis processes) a) Topology Database
- T is section presents the CSCI-wide design decisions, that is, the decisions common to all the CSCI's behavioral design and those of its software subunits.
- the following functionality resides in the Common Infrastructure of the software architecture, accessible to all other CSCIs
- Message queues are a prefened method for IPC smce they are easier to manage and are easily ported to other processmg environments. Shared memory is used when higher performance is requu-ed, since the data is shared rather than copied between the different data regions as is done in the implementation of message queues.
- the followmg subsections give an overview of each of the three IPC options
- the message queue allows multiple processes on the same machme to exchange formatted data by sendmg and receivmg messages among themselves.
- the messages stored m a message queue are persistent, even when there is no process referencmg the queue. Messages are removed from a queue only when processes explicitly ret ⁇ eve them.
- a MessageQueue class is provided to mterface to the embedded message queues of the UNIX kernel. It is through this mterface that two independent processes are able to pass messages between each other.
- a typical class hierarchy utilizing the MessageQueue class is shown m Figure 0-1. Here, we see classes of different processes, the SERVER class and the CLIENT class, and then- relationships with the MessageQueue class usmg the OMT notation.
- Figure 0-2 is an example strig ⁇ o diagram showing how two independent processes can utilize the MessageQueue class.
- the SERVER and CLIENT objects must, first, mstannate their own MessageQueue objects usmg the MessageQueue constructor func ⁇ on. At this time, the IPC link is established. The status of the queue is then ve ⁇ fied by the Stat ⁇ sOK() function. By usmg the SendMessageQ and GetMessage() operations of MessageQueue class, the processes are able to pass messages between them.
- the followmg system- imposed limits on the manipulation of messages are defined in the ⁇ sys/msg h> header file. a) the maximum number of messages queues a) the maximum number of bytes of data allowed for a message a) the maximum number of bytes for all messages allowed in a queue a) the maximum number of messages in all queues allowed in a system
- Semaphores provide a method to synchronize the execution of multiple processes. Semaphores are frequently used along with shared memory to establish a method for IPC. Like messages, semaphores are persistent, despite their creator process's termination.
- Shared Memory allows multiple processes to map a portion of their virtual address space to a common memory region. Thus, any process can wnte data to a shared memory region and the data are readily available to be read and modified by other processes.
- the data m a shared memory region are persistent.
- the memory space is not deallocated even if the process creatmg the shared memory region temunates.
- shared memory does not provide any access control method for processes that use it, semaphores are used with the shared memory to implement this interprocess communication media.
- Process Manager stores followmg mformation about the child: i) the child's process identification assigned by the UNIX kernel
- the section defines the implementation of the System's self-test requirements
- the Process Manager a records this occurrence, via a counter a) sends a KILL signal to the child a) resets/restarts that process. a) notifies the operator, via the GUI a) records the event in a error log file.
- the architecture includes two ( 2) mdependent applicanons, the Intrusion Detector and the Vulnerabili t y
- the Vulnerability Analyzer mcludes two processes - the Vulnerability Analysis and it's Display Management processes
- the system's class category d ⁇ ag ⁇ am is shown in Figure 0-2 usmg the OMT notation
- the class category diagram illustrates the logical collections of classes used by the applications. It maps well to the software architecture diagram presented earlier, however, the significance of this diagram shows the relationships and dependencies between these logical class groupings, including the Common Infrastructure category /07312
- the Common Infrastructure is an abstraction layer, used to isolate the rest of the applicanon from the details of the low-level, operating system-specific funcfionality for portability to other platforms It is a repository of common func ⁇ onaliry of multiple processes (IPCs and database mterfaces) It is implemented as a domain-specific framework or library, available to the higher-level subsystems to maximize reuse and standardization.
- This section descnbes the concept of execunon and the IPC mterfaces of the different processes that make up the System Intrusion Detector.
- the Intrusion Detector's architecture is partitioned into three (3) independent processes - the Data Collecnon, the Intrusion Detection and it's Display Management processes.
- the Display Management process is the top-level or parent process of the Intrusion Detector and is available du ⁇ ng system operation. This process mcludes the graphical user mterface, designed usmg the Sparc Work's Visual GUI builder and the Motif libra ⁇ es, as well as operanons for prepa ⁇ ng the incoming data for user display.
- the look-and-feel of the environment is similar to that of the Open Windows environment.
- the message queue is the method used for all interprocess communication to and from the Display Management process.
- the operator console of the Intrusion Detector application is the GUI environment that allows the operator to change the application's operating parameters and observe predefined statisncs, as well as overall system status.
- stansncs are maintained constantly by the Display Management process.
- a) Network Topology Informanon By clicking the mouse's ⁇ ght button on the desired node displayed on the topology view This node mformanon is provided to the operator m a scrollable text wmdow From that wmdow, the operator can select a particular linkset of that node and view its charactensttcs.
- a) Network Stansncs From the environment's mam menu bar, the operator can request to view the capacity measurements listed below Informanon is provided from the Intrusion Detecnon process at a fixed interval. A fault is logged if this message is not received the expected time.
- IPC messages are sent from the Intrusion Detecnon Process: a) Anomaly Detection: In the event that any of the predefined anomaly rules or a combinanon of these rules are sansfied (indicating a detecnon), a message is sent to the Display Management process for display The message will mdicate the following mformanon about the anomaly-
- This message is also used by the Display Management process as a heartbeat indicanon from the Intrusion Detecnon process
- the followmg IPC messages are sent to the Data Collecnon Process- a) Enable/disable test stimulus from file- When enabled, the Data Collecnon process will inject the test stimulus data mto the real-time data stream. a) Operator Programmable Configuranon Parameters.
- the followmg IPC messages are sent from the Data Collecnon Process. This message is also used by the Display Management process as a heartbeat indicanon from the Data Collecnon process. a) Total number of messages per sec. a) SS7 Link "Heart Bear” mdicanon (as received from the Momto ⁇ ng Analyzer)
- the node and link mformanon are retneved by the Display Management process from the Topology database when the monitoring pomt is specified by the operator
- This node and link mformanon are detailed below APPENDIX C SOFTWARE DESIGN DOCUMENT
- the Display Management process implements the followmg funcnonality a) Operator Console Management a) Process Management
- the Display Management process Upon uunalizanon. the Display Management process displays its operator console with all configuration parameters set to the factory default values ( thresholds, etc ) It then waits for operator interacnon The operator will need to provide the configuranon mformanon listed below This mformanon can be loaded manually or via loading a pre-defined configuranon flat file a) File Maintenance a) Monitoring Pomt a) Threshold values (if different from defaults)
- the monitoring points are used to generate and display the local nerwork topology view
- the network topology view is based on topology informanon remeved from the topology database (nodes, signal links, etc )
- the GUI performs the followmg a) get the topology linkset for the first pomt-code entered from the operator a) if a monitoring pomt is an A-line, get its correspondmg A-hne mate to the end node and include in the drawing a) if a monitor pomt is of a mated STP, draw the interconnecting lines of the STP mated a) draw local network - all direct links to the monitoring pomt are represented by a regular solid line For cla ⁇ ry, the Imk(s) selected as being momtored. are represented by a bold solid line APPENDIX C SOFTWARE DESIGN DOCUMENT
- the nerwork view reflects the current state of each link of the local network to the operator using color cod g.
- the link status is color coded, indicatmg the anomaly ranking (BLUE, YELLOW, ORANGE or RED): This anomaly rankmg or Rin is based on the "Alarm type" data field from the anomaly detection message.
- the Data Collector accepts pre-formatted SS7 message data from the SS7 monitoring source (via the commumcanon port) and or a UNIX file containing test messages. It is a real-time operanon. whose primary funcnon is to manage the communicanon port, as needed, and prepare the data for output to the next process in the real-time pipe -- the Intrusion Detecnon process.
- the mterfaces of Data Collector are shown in Figure 0-4. Each of these mterfaces is detaded in the followmg subsecnons.
- the incoming SS7 message, from the monitonng anaiyzer, is pre-forma ⁇ ed such that each message is of a fixed length with fixed informanon fields.
- the expected format for the SST message input is shown in Table 0-f
- the messaging to the Intrusion Detecnon Process includes the reforma ⁇ ed SS7 messages to be used in t he intrusion determination
- the output message format to the Intrusion Detecnon includes the following components a) the pre-formatted SS7 input message a) a tune stamp generated by the Data Collecnon process
- the Data Collection process will read and inject the test SS7 messages mto the real-time message stream for pu ⁇ oses of testing
- the format and the content of these test messages are idenncal to those from the monitonng analyzer
- the top-level class diagram for the Data Collecnon process is shown is Figure 0-5
- the followmg is a list of the classes, their responsibihnes and the collaboranons with the other classes.
- the Data Collector class is the mam class of this process. Its responsibility is to create and control its subclasses at a high level
- the MessageQueue class resides in the Common Infrastructure category. It is this class that represents the IPC method used by the Data Collector.
- the CommPort class's responsibility is the control commumcanon po ⁇ and manages the data flow from the port.
- the SS7 message data structures are made available to the Data
- the File class is the Data Collector's mterface to the Unix files
- the data structures of the test SS7 messages are made available to the Data Collector class, idenncal to that of the
- the Clock class is used by the Data Collector as the mam tuner of the process
- Figure 0-6 is the high level strig ⁇ o diagram for minalizmg the of the Dau Collecnon process.
- the funcnon theDataCollector::In ⁇ ai ⁇ ze() is called first and performs the required uunalizanon unplementanon for the DataCoUector class, as well as its subclasses.
- MessageQueue class which sets up the IPC link between the two processes
- a) theFile::FileDetected() The DataCoUector object ve ⁇ fies the existence of the test message file for injec ⁇ o ⁇ .
- theDataCollector::EnableFileMsgs() is then called to set the proper local flags to enable this operanon.
- theClock::SetTimer() The timer is setup and used to control the test message l ⁇ jecnon mto the SS7 message stream from the UNIX file.
- the Nerwork Topology Database provides the mtrusion detection algo ⁇ thms with the required relevant infrastructure data (node and link mformanon) of the SS7 network.
- the network topology information and its format, as required for the mtrusion detecnon, is identical to that used by the Display Managemen t process.
- the Intrusion Detection process logs all anomalies detecnons, as well as the resultant mtrusion decision.
- the filename is specified by the operator via the Display Management process.
- the Intrusion Detecnon process reacts to an IPC message mto its message queue.
- the thread of execunon performed is based primarily on the type of this message. Any message type determined to be invalid are logged and discarded.
- the following messages are valid by this process: a) Stansncs Enable/Disable: a) Fault Log Enable Disable a) Process Start/Stop: a) Process Shutdown: a) Monitor Points: a) SS7 MSU Record:
- the detector uses t he information from previously captured SS7 messages, as well as nerwork topology informanon It then correlates it results to predefined conditions or rules that would indicate the presence of an anomaly ( ⁇ es )
- the following condinons are tested at different levels of the protocol a) ISDN User Part (ISUP) messages i) Improper RELEASE l) Improper BLOCKING and/or CIRCUIT GROUP BLOCKING
- the current SS7 message is stored and used in fu t ure anomaly tests
- the Intrusion Detecnon process logs all anomalies detecnons. as well as the resultant intrusion decision.
- This secnon desc ⁇ bes the concept of execunon and the IPC mterfaces of the different processes that make up the System Vulnerability Analyzer.
- the Vulnerability Analyzer's architecture is pamnoned mto two (2) mdependent processes, the Vulnerability Analysis and Display Management processes
- the primary responsibility of the Vulnerability Analyzer is to evaluate an SS7 network topology and determme the loca ⁇ ons most vulnerable to SS7 nerwork mtrusion.
- the Display Management process is the top-level or parent process of the Vulnerability Analyzer and is available du ⁇ g system operanon. This process mcludes a wmdow-based environment, smular to that used in the Intrusion Detector This was purposefully done for two reasons
- the followmg subsecnons identify the external mterfaces of the Vulnerability Analyzer's Display Management process, as shown in the context diagram Figure 0-8.
- the Message queue is the method used for all interprocess communicanon to and from the Display Management process. /07312
- the operator console of the Vulnerability Analyzer applicanon is the GUI environment that allows the opera t or to change the app ca ⁇ on's operating parameters and observe predefined stansncs. as well as overall system status.
- the Display Management process will then retrieve the vulnerability log UNIX fiat file for operator display
- the data fields of the display include the following informanon. a) the Link or Node name and office name a) the c ⁇ tena satisfied indicatmg vulnerability a) its vulnerability ranking
- This secnon details the Display Management process's interprocess communicanon to and from t he Vulnerability Analysis process.
- the followmg IPC messages are sent from the Vulnerability Analysis Process its Display Management process - a) Operanonal Control Messagmg: The followmg indicanons are sent from the
- the Vulnerability Analyzer's Display Management process sends its own ANALYZE indicanon to the Vulnerability Analysis Process.
- the Display Management process Upon recepnon of the COMPLETE message from the Vulnerability Analysis Process, the Display Management process ret ⁇ eves the specified Unix flat file contammg the vulnerability log informanon, just calculated. It is then displayed to the operator via its own scrollable text display wmdow.
- the Vulnerability Analysis evaluates the cunent SS7 network topology and ranks the each ennty of the nerwork infrastructure, based on its vulnerability to potennal intrusions.
- the Vulnerability Analysis process records its results mto a UNIX flat file for future ret ⁇ eval and display by the Display Management process.
- the text fields in this text file are as follows: a) the Link or Node name and office name a) the c ⁇ te ⁇ a sansfied indicating vulnerability a) its vulnerability ranking
- the Network Topology Database provides the vulnerabihty analysis algo ⁇ thms with the required relevant infrastructure dau of the SS7 network .
- the nerwork topology informanon and its format, as required for the vulnerability analysis, are listed below: a) Nume ⁇ cal weights for Physical Accessibility of the each link and node. a) Nume ⁇ cal weights for Funcnonal Accessibility of the each link and node. a) Nume ⁇ cal weights for Secu ⁇ ty Capability of the each link and node. a) Nume ⁇ cal weights for Node Criticality of the each node, relanve to the surrounding network. a) Link and node informanon.
- this process analyzes and ranks each link and node within the GTE SS7 nerwork on its potennal vulnerability to mtrusion. O 00/07312
- Information about the network's infrastructure is retrieved from its database (topology and link/node vulnerability relationships) and used in its algorithms.
- the following aspects of the network are analyzed for each vulnerability determination: a) Physical characte ⁇ stics - the media type used (copper, fiber, etc.) a) Functional characte ⁇ s ⁇ cs - the services provided on the link, node a) Secu ⁇ ry characte ⁇ stics - the existing screening measures (on-line, e ⁇ crypnon, observanon, etc.) a) Node Criticality - the importance of the network element with respect to the its usage and capacity, a) Redundancy - availability of alternate routmg around element.
- a resulUnt message is sent to the specified text log file (UNIX flat file) This is the file that the Display Management Process retneves for operator display.
- a COMPLETION message is sent to the Display Management process, indicating that the analysis results are available for display.
- the Network Topology Database is the persistent storage for the GTE SS7 network infrastructure. It contains all the nodal and link mformanon requu-ed to implement both the Intrusion Detector and the Vulnerability Analyzer processes.
- This three parry library is a collecnon of utility routines that is our main interface to this database
- the Topology database is accessed via the Databaselnterface class, whose external interface satisfies the operational requu-ements of the other processes
- the Databaselnterface class is a wrapper class, isolating the Open Client library funcnon calls within itself and from the rest of the design.
- the database In response to a func ⁇ on call, by a client process, to the Databaselnterface class, the database returns the required dau set as defined by its external interface functional signature
- This section presents a high-level deuil of the specific algo ⁇ thms used in determining the possibility of an anomaly ev ent within the GTE SS" nerwork.
- ⁇ ll SS MSU messages of type MTP are analyzed for inconsistencies within their dau fields as compared to the SS7 ANSI specifica ⁇ on The MTP tests desc ⁇ bed within this secnon are only performed on links currently being monitored by the Secure? IDS.
- a) The following SS" MSU of type MTP are suppo ⁇ ed by the System Intrusion Detector i) Changeover (CHANGEOVER. CHANGEOVER ACKNOWLEDGE. CHANGEBACK.
- Ve ⁇ fy the OPC of this message corresponds to a Signaling Transfer Pomt (STP)
- STP Signaling Transfer Pomt
- Ve ⁇ fy the destinano ⁇ pomt code corresponds to a node directly connected to the o ⁇ ginanng STP in which the message was sent. i) Ve ⁇ fy that at least one of the followmg message types was previously detected on the destinanon Imk, referred to by this message. An alarm is declared to the GUI and log file if none of the followmg messages are detected (If the destinanon link, referred to by this message, is not part of the local topology defined, then this item will not be checked)
- An alarm is declared to the GUI and log file if any of the following conditions are FALSE: i) Ve ⁇ fy that a BLOCK or a GROUP BLOCK message was previously detected on the same Imk from the opposite direction (DPC and OPC are reversed). n) A response (a UNBLOCK message) must follow a GROUP BLOCK ACKNOWLEDGE message within a five (5) minute time penod plus a processmg delu time. i) Unblock - Upon reception of a UNBLOCK ISUP message, the followmg tests are performed. An alarm is declared to the GUI and log file if any of the following condinons are FALSE:
- An alarm is declared to the GUI and log file if any of the followmg conditions are FALSE: l) Ve ⁇ fy that an UNBLOCK or GROUP UNBLOCK message was previously detected on the same Imk from the opposite direction (DPC and OPC are reversed). k) Unequipped Circuit - Upon reception of an UNEQUIPPED CIRCUIT ISUP message, the following tests are performed. An alarm is declared to the GUI and log file if any of the followmg conditions are FALSE i) Verify that a RELEASE, RESET, GROUP RESET, BLOCK or GROUP BLOCK message was previously detected on the same nk from the opposite direction (DPC and OPC are reversed). APPENDIX C SOFTWARE DESIGN DOCUMENT
- This secnon deals with a penodic analysis of the network as a result of the message flow and its effect of that nerwork. a) If a Imk is prohibited or restricted, as a result of a TRANSFER PROHIBIT or a TRANSFER RESTRICT MTP message, the followmg tests are performed, but only if the Imk to the destinanon pomt code, referred to by the a TRANSFER PROHIBIT or a TRANSFER RESTRICT MTP message, is being momtored.
- Logical-number-LinksPerLinkset APPENDIX D VULNERABILITY ANALYSIS ATTRIBUTES AND ALGORITHMS
- this rankmg uses the concept that the further from the mtrusion occurs from the desired target, the less likely the attack has at success due to routmg screenmg, etc
- SCP Node Criticality ( Average of Service Desirability Rankmgs) * ⁇ (SSPs w/ access via SCP to desired service) * (Normalized Node Capacity)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP99937710A EP1101304A1 (en) | 1998-07-31 | 1999-07-30 | System for intrusion detection and vulnerability analysis in a telecommunications signaling network |
JP2000563018A JP2002521775A (en) | 1998-07-31 | 1999-07-30 | Intrusion detection and vulnerability analysis system in telecommunication signal network |
AU52488/99A AU5248899A (en) | 1998-07-31 | 1999-07-30 | System for intrusion detection and vulnerability analysis in a telecommunications signaling network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/127,241 | 1998-07-31 | ||
US09/127,241 US6711127B1 (en) | 1998-07-31 | 1998-07-31 | System for intrusion detection and vulnerability analysis in a telecommunications signaling network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000007312A1 true WO2000007312A1 (en) | 2000-02-10 |
Family
ID=22429056
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US1999/017408 WO2000007312A1 (en) | 1998-07-31 | 1999-07-30 | System for intrusion detection and vulnerability analysis in a telecommunications signaling network |
Country Status (6)
Country | Link |
---|---|
US (1) | US6711127B1 (en) |
EP (1) | EP1101304A1 (en) |
JP (1) | JP2002521775A (en) |
KR (1) | KR100718023B1 (en) |
AU (1) | AU5248899A (en) |
WO (1) | WO2000007312A1 (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20000054521A (en) * | 2000-06-09 | 2000-09-05 | 김상돈 | System and method for blocking an attack from hacking robot program |
KR20010103201A (en) * | 2000-05-06 | 2001-11-23 | 조용학 | The checking system against infiltration of hacking and virus |
KR20010105490A (en) * | 2000-05-10 | 2001-11-29 | 이영아 | Hacking detection and chase system |
KR100383224B1 (en) * | 2000-05-19 | 2003-05-12 | 주식회사 사이젠텍 | Linux-Based Integrated Security System for Network and Method thereof, and Semiconductor Device Having These Solutions |
EP1488316A2 (en) * | 2002-03-08 | 2004-12-22 | Ciphertrust, Inc. | Systems and methods for enhancing electronic communication security |
US7036148B2 (en) | 2001-05-08 | 2006-04-25 | International Business Machines Corporation | Method of operating an intrusion detection system according to a set of business rules |
US7739082B2 (en) | 2006-06-08 | 2010-06-15 | Battelle Memorial Institute | System and method for anomaly detection |
US8214497B2 (en) | 2007-01-24 | 2012-07-03 | Mcafee, Inc. | Multi-dimensional reputation scoring |
US8549611B2 (en) | 2002-03-08 | 2013-10-01 | Mcafee, Inc. | Systems and methods for classification of messaging entities |
US8561167B2 (en) | 2002-03-08 | 2013-10-15 | Mcafee, Inc. | Web reputation scoring |
US8631495B2 (en) | 2002-03-08 | 2014-01-14 | Mcafee, Inc. | Systems and methods for message threat management |
US8763114B2 (en) | 2007-01-24 | 2014-06-24 | Mcafee, Inc. | Detecting image spam |
WO2019004859A1 (en) * | 2017-06-30 | 2019-01-03 | Siemens Aktiengesellschaft | Method for monitoring an analytical system for stream data |
WO2022161607A1 (en) * | 2021-01-27 | 2022-08-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Computer-implemented method and arrangement for classifying anomalies |
US11582249B2 (en) | 2019-11-27 | 2023-02-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Computer-implemented method and arrangement for classifying anomalies |
Families Citing this family (128)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
IL143573A0 (en) | 1998-12-09 | 2002-04-21 | Network Ice Corp | A method and apparatus for providing network and computer system security |
US7346929B1 (en) * | 1999-07-29 | 2008-03-18 | International Business Machines Corporation | Method and apparatus for auditing network security |
US7073198B1 (en) | 1999-08-26 | 2006-07-04 | Ncircle Network Security, Inc. | Method and system for detecting a vulnerability in a network |
US8006243B2 (en) * | 1999-12-07 | 2011-08-23 | International Business Machines Corporation | Method and apparatus for remote installation of network drivers and software |
US6957348B1 (en) * | 2000-01-10 | 2005-10-18 | Ncircle Network Security, Inc. | Interoperability of vulnerability and intrusion detection systems |
WO2001084775A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | System and method for managing security events on a network |
US7574740B1 (en) | 2000-04-28 | 2009-08-11 | International Business Machines Corporation | Method and system for intrusion detection in a computer network |
JP4700884B2 (en) * | 2000-04-28 | 2011-06-15 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Method and system for managing computer security information |
US7380272B2 (en) * | 2000-05-17 | 2008-05-27 | Deep Nines Incorporated | System and method for detecting and eliminating IP spoofing in a data transmission network |
US7058976B1 (en) | 2000-05-17 | 2006-06-06 | Deep Nines, Inc. | Intelligent feedback loop process control system |
US20040073617A1 (en) | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
AU2001281150A1 (en) * | 2000-08-07 | 2002-02-18 | Xacct Technologies Limited | System, method and computer program product for processing network accounting information |
US7181769B1 (en) | 2000-08-25 | 2007-02-20 | Ncircle Network Security, Inc. | Network security system having a device profiler communicatively coupled to a traffic monitor |
US9280667B1 (en) | 2000-08-25 | 2016-03-08 | Tripwire, Inc. | Persistent host determination |
US9027121B2 (en) | 2000-10-10 | 2015-05-05 | International Business Machines Corporation | Method and system for creating a record for one or more computer security incidents |
US7146305B2 (en) * | 2000-10-24 | 2006-12-05 | Vcis, Inc. | Analytical virtual machine |
US7130466B2 (en) * | 2000-12-21 | 2006-10-31 | Cobion Ag | System and method for compiling images from a database and comparing the compiled images with known images |
US6850253B1 (en) * | 2000-12-26 | 2005-02-01 | Nortel Networks Limited | Representing network link and connection information in a graphical user interface suitable for network management |
US20020147803A1 (en) * | 2001-01-31 | 2002-10-10 | Dodd Timothy David | Method and system for calculating risk in association with a security audit of a computer network |
JP2002330177A (en) * | 2001-03-02 | 2002-11-15 | Seer Insight Security Inc | Security management server and host sever operating in linkage with the security management server |
DE60135449D1 (en) * | 2001-06-14 | 2008-10-02 | Ibm | Intrusion detection in data processing systems |
US7657419B2 (en) * | 2001-06-19 | 2010-02-02 | International Business Machines Corporation | Analytical virtual machine |
US6513122B1 (en) | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
EP1280298A1 (en) * | 2001-07-26 | 2003-01-29 | BRITISH TELECOMMUNICATIONS public limited company | Method and apparatus of detecting network activity |
US20030084319A1 (en) * | 2001-10-31 | 2003-05-01 | Tarquini Richard Paul | Node, method and computer readable medium for inserting an intrusion prevention system into a network stack |
US20030084328A1 (en) * | 2001-10-31 | 2003-05-01 | Tarquini Richard Paul | Method and computer-readable medium for integrating a decode engine with an intrusion detection system |
US8266703B1 (en) | 2001-11-30 | 2012-09-11 | Mcafee, Inc. | System, method and computer program product for improving computer network intrusion detection by risk prioritization |
US6546493B1 (en) | 2001-11-30 | 2003-04-08 | Networks Associates Technology, Inc. | System, method and computer program product for risk assessment scanning based on detected anomalous events |
US7673137B2 (en) * | 2002-01-04 | 2010-03-02 | International Business Machines Corporation | System and method for the managed security control of processes on a computer system |
US7694128B2 (en) * | 2002-03-08 | 2010-04-06 | Mcafee, Inc. | Systems and methods for secure communication delivery |
US7458098B2 (en) * | 2002-03-08 | 2008-11-25 | Secure Computing Corporation | Systems and methods for enhancing electronic communication security |
US7693947B2 (en) | 2002-03-08 | 2010-04-06 | Mcafee, Inc. | Systems and methods for graphically displaying messaging traffic |
US8132250B2 (en) * | 2002-03-08 | 2012-03-06 | Mcafee, Inc. | Message profiling systems and methods |
US7903549B2 (en) * | 2002-03-08 | 2011-03-08 | Secure Computing Corporation | Content-based policy compliance systems and methods |
US6941467B2 (en) * | 2002-03-08 | 2005-09-06 | Ciphertrust, Inc. | Systems and methods for adaptive message interrogation through multiple queues |
US7124438B2 (en) * | 2002-03-08 | 2006-10-17 | Ciphertrust, Inc. | Systems and methods for anomaly detection in patterns of monitored communications |
US8578480B2 (en) | 2002-03-08 | 2013-11-05 | Mcafee, Inc. | Systems and methods for identifying potentially malicious messages |
US7870203B2 (en) | 2002-03-08 | 2011-01-11 | Mcafee, Inc. | Methods and systems for exposing messaging reputation to an end user |
US7737134B2 (en) * | 2002-03-13 | 2010-06-15 | The Texas A & M University System | Anticancer agents and use |
US6715084B2 (en) * | 2002-03-26 | 2004-03-30 | Bellsouth Intellectual Property Corporation | Firewall system and method via feedback from broad-scope monitoring for intrusion detection |
US7370360B2 (en) * | 2002-05-13 | 2008-05-06 | International Business Machines Corporation | Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine |
US20030229703A1 (en) * | 2002-06-06 | 2003-12-11 | International Business Machines Corporation | Method and apparatus for identifying intrusions into a network data processing system |
US20060010209A1 (en) * | 2002-08-07 | 2006-01-12 | Hodgson Paul W | Server for sending electronics messages |
KR100456635B1 (en) * | 2002-11-14 | 2004-11-10 | 한국전자통신연구원 | Method and system for defensing distributed denial of service |
US6834409B2 (en) * | 2002-12-23 | 2004-12-28 | Nordock, Inc. | Dock leveler |
US7913303B1 (en) | 2003-01-21 | 2011-03-22 | International Business Machines Corporation | Method and system for dynamically protecting a computer system from attack |
WO2004084083A1 (en) * | 2003-03-19 | 2004-09-30 | Unisys Corporation | Server consolidation analysis |
US7730175B1 (en) | 2003-05-12 | 2010-06-01 | Sourcefire, Inc. | Systems and methods for identifying the services of a network |
US8201249B2 (en) * | 2003-05-14 | 2012-06-12 | Northrop Grumman Systems Corporation | Steady state computer intrusion and misuse detection |
US7926113B1 (en) * | 2003-06-09 | 2011-04-12 | Tenable Network Security, Inc. | System and method for managing network vulnerability analysis systems |
US9350752B2 (en) | 2003-07-01 | 2016-05-24 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9100431B2 (en) | 2003-07-01 | 2015-08-04 | Securityprofiling, Llc | Computer program product and apparatus for multi-path remediation |
US9118711B2 (en) * | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118709B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118710B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | System, method, and computer program product for reporting an occurrence in different manners |
US20070113272A2 (en) | 2003-07-01 | 2007-05-17 | Securityprofiling, Inc. | Real-time vulnerability monitoring |
US8984644B2 (en) | 2003-07-01 | 2015-03-17 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118708B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Multi-path remediation |
JP2005108099A (en) * | 2003-10-01 | 2005-04-21 | Hitachi Ltd | Information security policy evaluation system and its control method |
US7657938B2 (en) * | 2003-10-28 | 2010-02-02 | International Business Machines Corporation | Method and system for protecting computer networks by altering unwanted network data traffic |
CA2733172C (en) * | 2004-05-07 | 2011-10-25 | Sandvine Incorporated Ulc | A system and method for detecting sources of abnormal computer network messages |
US8171555B2 (en) | 2004-07-23 | 2012-05-01 | Fortinet, Inc. | Determining technology-appropriate remediation for vulnerability |
US20060018478A1 (en) * | 2004-07-23 | 2006-01-26 | Diefenderfer Kristopher G | Secure communication protocol |
US7665119B2 (en) | 2004-09-03 | 2010-02-16 | Secure Elements, Inc. | Policy-based selection of remediation |
US7761920B2 (en) * | 2004-09-03 | 2010-07-20 | Fortinet, Inc. | Data structure for policy-based remediation selection |
US7774848B2 (en) | 2004-07-23 | 2010-08-10 | Fortinet, Inc. | Mapping remediation to plurality of vulnerabilities |
US7539681B2 (en) * | 2004-07-26 | 2009-05-26 | Sourcefire, Inc. | Methods and systems for multi-pattern searching |
US7672948B2 (en) * | 2004-09-03 | 2010-03-02 | Fortinet, Inc. | Centralized data transformation |
US7703137B2 (en) * | 2004-09-03 | 2010-04-20 | Fortinet, Inc. | Centralized data transformation |
US7451486B2 (en) * | 2004-09-30 | 2008-11-11 | Avaya Inc. | Stateful and cross-protocol intrusion detection for voice over IP |
US20060080738A1 (en) * | 2004-10-08 | 2006-04-13 | Bezilla Daniel B | Automatic criticality assessment |
US8635690B2 (en) | 2004-11-05 | 2014-01-21 | Mcafee, Inc. | Reputation based message processing |
US20060168193A1 (en) * | 2004-11-23 | 2006-07-27 | Gerald Starling | Methods, computer program products, and systems for detecting incidents within a communications network |
US7602731B2 (en) * | 2004-12-22 | 2009-10-13 | Intruguard Devices, Inc. | System and method for integrated header, state, rate and content anomaly prevention with policy enforcement |
US7626940B2 (en) * | 2004-12-22 | 2009-12-01 | Intruguard Devices, Inc. | System and method for integrated header, state, rate and content anomaly prevention for domain name service |
US9167471B2 (en) | 2009-05-07 | 2015-10-20 | Jasper Technologies, Inc. | System and method for responding to aggressive behavior associated with wireless devices |
US7937480B2 (en) * | 2005-06-02 | 2011-05-03 | Mcafee, Inc. | Aggregation of reputation data |
US20080209566A1 (en) * | 2005-06-30 | 2008-08-28 | Raw Analysis Ltd. | Method and System For Network Vulnerability Assessment |
US7733803B2 (en) * | 2005-11-14 | 2010-06-08 | Sourcefire, Inc. | Systems and methods for modifying network map attributes |
US8046833B2 (en) * | 2005-11-14 | 2011-10-25 | Sourcefire, Inc. | Intrusion event correlation with network discovery information |
US7681132B2 (en) * | 2006-07-13 | 2010-03-16 | International Business Machines Corporation | System, method and program product for visually presenting data describing network intrusions |
US7948988B2 (en) * | 2006-07-27 | 2011-05-24 | Sourcefire, Inc. | Device, system and method for analysis of fragments in a fragment train |
US7701945B2 (en) * | 2006-08-10 | 2010-04-20 | Sourcefire, Inc. | Device, system and method for analysis of segments in a transmission control protocol (TCP) session |
EP2076866A2 (en) * | 2006-10-06 | 2009-07-08 | Sourcefire, Inc. | Device, system and method for use of micro-policies in intrusion detection/prevention |
US8266702B2 (en) * | 2006-10-31 | 2012-09-11 | Microsoft Corporation | Analyzing access control configurations |
US7949716B2 (en) | 2007-01-24 | 2011-05-24 | Mcafee, Inc. | Correlation and analysis of entity attributes |
US8179798B2 (en) * | 2007-01-24 | 2012-05-15 | Mcafee, Inc. | Reputation based connection throttling |
US7779156B2 (en) * | 2007-01-24 | 2010-08-17 | Mcafee, Inc. | Reputation based load balancing |
US8069352B2 (en) * | 2007-02-28 | 2011-11-29 | Sourcefire, Inc. | Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session |
WO2008134057A1 (en) * | 2007-04-30 | 2008-11-06 | Sourcefire, Inc. | Real-time awareness for a computer network |
US8185930B2 (en) | 2007-11-06 | 2012-05-22 | Mcafee, Inc. | Adjusting filter or classification control settings |
US8045458B2 (en) * | 2007-11-08 | 2011-10-25 | Mcafee, Inc. | Prioritizing network traffic |
US8458648B2 (en) * | 2007-12-10 | 2013-06-04 | International Business Machines Corporation | Graphical modelization of user interfaces for data intensive applications |
US8589503B2 (en) | 2008-04-04 | 2013-11-19 | Mcafee, Inc. | Prioritizing network traffic |
US8474043B2 (en) * | 2008-04-17 | 2013-06-25 | Sourcefire, Inc. | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing |
PL2157731T3 (en) * | 2008-08-18 | 2011-12-30 | Abb Technology Ag | Analysing communication configuration in a process control system |
US8272055B2 (en) | 2008-10-08 | 2012-09-18 | Sourcefire, Inc. | Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system |
JP2011123781A (en) * | 2009-12-14 | 2011-06-23 | Seiko Epson Corp | Electronic apparatus and method of controlling the same |
US8438270B2 (en) | 2010-01-26 | 2013-05-07 | Tenable Network Security, Inc. | System and method for correlating network identities and addresses |
US8302198B2 (en) | 2010-01-28 | 2012-10-30 | Tenable Network Security, Inc. | System and method for enabling remote registry service security audits |
US8707440B2 (en) * | 2010-03-22 | 2014-04-22 | Tenable Network Security, Inc. | System and method for passively identifying encrypted and interactive network sessions |
EP2559217B1 (en) | 2010-04-16 | 2019-08-14 | Cisco Technology, Inc. | System and method for near-real time network attack detection, and system and method for unified detection via detection routing |
US8549650B2 (en) | 2010-05-06 | 2013-10-01 | Tenable Network Security, Inc. | System and method for three-dimensional visualization of vulnerability and asset data |
US8621638B2 (en) | 2010-05-14 | 2013-12-31 | Mcafee, Inc. | Systems and methods for classification of messaging entities |
US8433790B2 (en) | 2010-06-11 | 2013-04-30 | Sourcefire, Inc. | System and method for assigning network blocks to sensors |
US8671182B2 (en) | 2010-06-22 | 2014-03-11 | Sourcefire, Inc. | System and method for resolving operating system or service identity conflicts |
US8938531B1 (en) | 2011-02-14 | 2015-01-20 | Digital Defense Incorporated | Apparatus, system and method for multi-context event streaming network vulnerability scanner |
US8601034B2 (en) | 2011-03-11 | 2013-12-03 | Sourcefire, Inc. | System and method for real time data awareness |
US9367707B2 (en) | 2012-02-23 | 2016-06-14 | Tenable Network Security, Inc. | System and method for using file hashes to track data leakage and document propagation in a network |
US9043920B2 (en) | 2012-06-27 | 2015-05-26 | Tenable Network Security, Inc. | System and method for identifying exploitable weak points in a network |
US9088606B2 (en) | 2012-07-05 | 2015-07-21 | Tenable Network Security, Inc. | System and method for strategic anti-malware monitoring |
WO2014105995A1 (en) * | 2012-12-27 | 2014-07-03 | Jasper Wireless, Inc. | A system and method for responding to aggressive behavior associated with wireless devices |
US9467464B2 (en) | 2013-03-15 | 2016-10-11 | Tenable Network Security, Inc. | System and method for correlating log data to discover network vulnerabilities and assets |
US9172721B2 (en) | 2013-07-16 | 2015-10-27 | Fortinet, Inc. | Scalable inline behavioral DDOS attack mitigation |
US9973528B2 (en) | 2015-12-21 | 2018-05-15 | Fortinet, Inc. | Two-stage hash based logic for application layer distributed denial of service (DDoS) attack attribution |
US10764321B2 (en) * | 2016-03-24 | 2020-09-01 | Lenovo Enterprise Solutions (Singapore) Pte. Ltd | Identifying and remediating at-risk resources in a computing environment |
US10367846B2 (en) | 2017-11-15 | 2019-07-30 | Xm Cyber Ltd. | Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign |
US10581802B2 (en) | 2017-03-16 | 2020-03-03 | Keysight Technologies Singapore (Sales) Pte. Ltd. | Methods, systems, and computer readable media for advertising network security capabilities |
EP3632009A1 (en) * | 2017-05-31 | 2020-04-08 | Telefonaktiebolaget LM Ericsson (publ) | Methods and apparatus for maintenance in an optical communication network |
US10382473B1 (en) * | 2018-09-12 | 2019-08-13 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US11283827B2 (en) | 2019-02-28 | 2022-03-22 | Xm Cyber Ltd. | Lateral movement strategy during penetration testing of a networked system |
US11206281B2 (en) | 2019-05-08 | 2021-12-21 | Xm Cyber Ltd. | Validating the use of user credentials in a penetration testing campaign |
US10637883B1 (en) * | 2019-07-04 | 2020-04-28 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US10880326B1 (en) | 2019-08-01 | 2020-12-29 | Xm Cyber Ltd. | Systems and methods for determining an opportunity for node poisoning in a penetration testing campaign, based on actual network traffic |
US11533329B2 (en) | 2019-09-27 | 2022-12-20 | Keysight Technologies, Inc. | Methods, systems and computer readable media for threat simulation and threat mitigation recommendations |
US11005878B1 (en) | 2019-11-07 | 2021-05-11 | Xm Cyber Ltd. | Cooperation between reconnaissance agents in penetration testing campaigns |
US11575700B2 (en) | 2020-01-27 | 2023-02-07 | Xm Cyber Ltd. | Systems and methods for displaying an attack vector available to an attacker of a networked system |
US11582256B2 (en) | 2020-04-06 | 2023-02-14 | Xm Cyber Ltd. | Determining multiple ways for compromising a network node in a penetration testing campaign |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5440723A (en) * | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US5586254A (en) * | 1992-02-13 | 1996-12-17 | Hitachi Software Engineering Co., Ltd. | System for managing and operating a network by physically imaging the network |
US5621889A (en) * | 1993-06-09 | 1997-04-15 | Alcatel Alsthom Compagnie Generale D'electricite | Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility |
US5623601A (en) * | 1994-11-18 | 1997-04-22 | Milkway Networks Corporation | Apparatus and method for providing a secure gateway for communication and data exchanges between networks |
US5757924A (en) * | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
-
1998
- 1998-07-31 US US09/127,241 patent/US6711127B1/en not_active Expired - Lifetime
-
1999
- 1999-07-30 AU AU52488/99A patent/AU5248899A/en not_active Abandoned
- 1999-07-30 JP JP2000563018A patent/JP2002521775A/en not_active Withdrawn
- 1999-07-30 EP EP99937710A patent/EP1101304A1/en not_active Withdrawn
- 1999-07-30 KR KR1020017001333A patent/KR100718023B1/en not_active IP Right Cessation
- 1999-07-30 WO PCT/US1999/017408 patent/WO2000007312A1/en active IP Right Grant
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5586254A (en) * | 1992-02-13 | 1996-12-17 | Hitachi Software Engineering Co., Ltd. | System for managing and operating a network by physically imaging the network |
US5440723A (en) * | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US5621889A (en) * | 1993-06-09 | 1997-04-15 | Alcatel Alsthom Compagnie Generale D'electricite | Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility |
US5623601A (en) * | 1994-11-18 | 1997-04-22 | Milkway Networks Corporation | Apparatus and method for providing a secure gateway for communication and data exchanges between networks |
US5757924A (en) * | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20010103201A (en) * | 2000-05-06 | 2001-11-23 | 조용학 | The checking system against infiltration of hacking and virus |
KR20010105490A (en) * | 2000-05-10 | 2001-11-29 | 이영아 | Hacking detection and chase system |
KR100383224B1 (en) * | 2000-05-19 | 2003-05-12 | 주식회사 사이젠텍 | Linux-Based Integrated Security System for Network and Method thereof, and Semiconductor Device Having These Solutions |
KR20000054521A (en) * | 2000-06-09 | 2000-09-05 | 김상돈 | System and method for blocking an attack from hacking robot program |
US7036148B2 (en) | 2001-05-08 | 2006-04-25 | International Business Machines Corporation | Method of operating an intrusion detection system according to a set of business rules |
US8561167B2 (en) | 2002-03-08 | 2013-10-15 | Mcafee, Inc. | Web reputation scoring |
US8631495B2 (en) | 2002-03-08 | 2014-01-14 | Mcafee, Inc. | Systems and methods for message threat management |
EP1488316A4 (en) * | 2002-03-08 | 2010-07-28 | Mcafee Inc | Systems and methods for enhancing electronic communication security |
US8549611B2 (en) | 2002-03-08 | 2013-10-01 | Mcafee, Inc. | Systems and methods for classification of messaging entities |
EP1488316A2 (en) * | 2002-03-08 | 2004-12-22 | Ciphertrust, Inc. | Systems and methods for enhancing electronic communication security |
US7739082B2 (en) | 2006-06-08 | 2010-06-15 | Battelle Memorial Institute | System and method for anomaly detection |
US8763114B2 (en) | 2007-01-24 | 2014-06-24 | Mcafee, Inc. | Detecting image spam |
US8214497B2 (en) | 2007-01-24 | 2012-07-03 | Mcafee, Inc. | Multi-dimensional reputation scoring |
US9009321B2 (en) | 2007-01-24 | 2015-04-14 | Mcafee, Inc. | Multi-dimensional reputation scoring |
US9544272B2 (en) | 2007-01-24 | 2017-01-10 | Intel Corporation | Detecting image spam |
US10050917B2 (en) | 2007-01-24 | 2018-08-14 | Mcafee, Llc | Multi-dimensional reputation scoring |
WO2019004859A1 (en) * | 2017-06-30 | 2019-01-03 | Siemens Aktiengesellschaft | Method for monitoring an analytical system for stream data |
US11582249B2 (en) | 2019-11-27 | 2023-02-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Computer-implemented method and arrangement for classifying anomalies |
US11838308B2 (en) | 2019-11-27 | 2023-12-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Computer-implemented method and arrangement for classifying anomalies |
WO2022161607A1 (en) * | 2021-01-27 | 2022-08-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Computer-implemented method and arrangement for classifying anomalies |
Also Published As
Publication number | Publication date |
---|---|
KR20010072141A (en) | 2001-07-31 |
KR100718023B1 (en) | 2007-05-14 |
EP1101304A1 (en) | 2001-05-23 |
AU5248899A (en) | 2000-02-21 |
US6711127B1 (en) | 2004-03-23 |
JP2002521775A (en) | 2002-07-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2000007312A1 (en) | System for intrusion detection and vulnerability analysis in a telecommunications signaling network | |
US7360090B1 (en) | Method of and apparatus for authenticating control messages in a signaling network | |
EP0866626B1 (en) | Method for querying replicated databases | |
US6333931B1 (en) | Method and apparatus for interconnecting a circuit-switched telephony network and a packet-switched data network, and applications thereof | |
US6151390A (en) | Protocol conversion using channel associated signaling | |
US5764955A (en) | Gateway for using legacy telecommunications network element equipment with a common management information protocol | |
AU702328B2 (en) | Mediation of open advanced intelligent network in SS7 protocol open access environment | |
US5953404A (en) | Method and system for providing mediated access between signaling networks | |
US7594009B2 (en) | Monitoring network activity | |
US7046778B2 (en) | Telecommunications portal capable of interpreting messages from an external device | |
EP0804841B1 (en) | Method for comparing attribute values of controllable object expressions in a network element | |
US7043000B2 (en) | Methods and systems for enhancing network security in a telecommunications signaling network | |
US7401360B2 (en) | Methods and systems for identifying and mitigating telecommunications network security threats | |
JPH09512976A (en) | How to test an intelligent network | |
US8505087B2 (en) | Signal transfer point front end processor | |
EP0792075A2 (en) | Message modification apparatus for use in a telecommunication signalling network | |
WO1994005112A1 (en) | System and method for creating, transferring, and monitoring services in a telecommunication system | |
EP1974282A2 (en) | Methods, systems, and computer program products for decentralized processing of signaling messages in a multi-application processing environment | |
WO2001019010A1 (en) | Ss7 firewall system | |
US7184538B1 (en) | Method of and apparatus for mediating common channel signaling message between networks using control message templates | |
US7224686B1 (en) | Method of and apparatus for mediating common channel signaling messages between networks using a pseudo-switch | |
US7218613B1 (en) | Method and apparatus for in context mediating common channel signaling messages between networks | |
Cisco | Appendix A Result Type Definitions | |
Cisco | Appendix A | |
Cisco | MML Command Reference Chapter of the Cisco MGC Software MML Command Reference Guide |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1020017001333 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1999937710 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 1999937710 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
WWP | Wipo information: published in national office |
Ref document number: 1020017001333 Country of ref document: KR |
|
WWG | Wipo information: grant in national office |
Ref document number: 1020017001333 Country of ref document: KR |