ITTO20090365A1 - METHOD OF DETECTION OF ANOMALIES IN A COMMUNICATION NETWORK AND NETWORK DEVICE THAT IMPLEMENTS THIS METHOD - Google Patents

Description

â € œMETHOD FOR DETECTION OF ANOMALIES IN A COMMUNICATION NETWORK AND NETWORK DEVICE IMPLEMENTING THIS METHODâ €

The present invention relates to a method for detecting anomalies in a communication network and to a network device that implements this method.

As is known, given a network of electronic devices (computers, routers, etc.) that communicate with each other, which are also referred to in the following as network devices, the need is particularly felt to guarantee correct operation. of the network in terms of security, that is to monitor and, if possible, prevent illegal actions by network users.

To this end, numerous protection devices are currently available, both of the software and hardware type, capable of being networked and performing safety functions. By way of example only, the so-called `` antivirus '' are known, i.e. computer programs which, when executed, allow to detect and, in part, prevent the carrying out of illegal actions in the computer in which they are performed (for example, by detecting and eliminating, if possible, malicious files such as so-called viruses, malware, spyware, etc.). Typically, antivirus work by searching for sequences of bytes indicating the presence of viruses within files present in the file system.

Similarly, the so-called `` firewalls '' are known, i.e. network devices that filter, on the basis of criteria (also called policies or rules) typically established by a network administrator, packets coming from or directed towards a portion of the network (subnet ), or packets coming from or going to a network device. In this way, firewalls control the connections that are established between different network devices, that is, they control the communications that take place between different network devices.

The so-called intrusion detection systems (â € œIntrusion Detection Systemâ €, IDS) are also known, i.e. network devices that allow the identification of unauthorized access and access attempts to computers and communication networks, such as for example attacks carried out through the execution of malicious applications, or attempts to access computers by illegally raising user privileges. Operationally, the IDS systems work by searching for signatures indicative of attacks, in order to discriminate between lawful and illegal actions.

Still by way of example, the so-called intrusion prevention systems (â € œIntrusion Prevention Systemâ €, IPS) are also known, i.e. systems similar to IDS systems, but capable of actively operating to block or prevent illegal actions, implementing more complex rules compared to what happens, for example, in firewalls.

Each protection device can determine the illegality of actions of only a certain type, or in any case of a limited number of types; for this purpose, each protective device detects actions of this type (or of this limited number of types). For example, in the case of firewalls, the detected actions are communications between network devices, while, in the case of antivirus, these actions are operations carried out in the computer where the antivirus is run. More precisely, firewalls allow / prohibit communications between network devices by comparing data exchanged during such communications (for example, IP addresses of data packets) with their own rules, while antivirus checks perform data checks inside the computers in which are installed. As regards, instead, the IDS and IPS systems, they control the actions carried out within a network as a whole.

Whenever a protective device detects an action, it classifies it as lawful or illegal, applying specific rules of the protective device itself. For example, in the case of a firewall, the rules directly explicate lists of allowed connections and lists of forbidden connections, therefore the application of the rules consists in comparing each connection, that is, each packet received by the firewall, with these lists, in order to establish its lawfulness. On the other hand, in the case of protection devices that operate by searching for signatures, such as for example some antivirus, the rules are generally implicit, that is, they basically consist in verifying the presence of the sought signatures. For the purposes of the present invention, the details relating to the practical implementation of the rules in the protective devices are not relevant.

In use, the protective devices generate a respective log file, generally known as â € œlogâ €, which contains information relating to detected and classified actions. In detail, given a protection device inside a network (therefore, provided with a respective network address), for each detected and classified action it sequentially inserts a corresponding entry (â € œentryâ €) in its log, typically in proprietary format. The item contains different information depending on the type of action to which it refers, such information being generally contained in corresponding fields of the item, meaning with an item field a portion of the item dedicated to containing a corresponding information, and regardless of the format actually used by the item. single protection device to encode this corresponding information. Therefore, different types of protection devices generate logs whose entries have different fields. However, there is some information common to all protective device entries, so there are fields that are common to protective devices. In fact, given an entry generated by a generic protection device after having detected and classified an action, therefore after having applied its rules, it contains at least the following fields (figure 1):

- a time value field 101, containing an instant of time associated with the action, typically the instant of detection of the action, or the instant in which the protective device considered has applied the rules to classify the action € ™ action;

- an address field 102, containing a network address of a network device;

- a result field 103, containing the outcome of the application of the rules, ie an indication as to whether the action has been classified as lawful or unlawful;

- an action field 104, containing an action identifier determined according to the type of action detected.

Regarding the address field 102, the network address contained therein differs according to the protection device that generated the voice. For example, in the case of antivirus, the address field 102 contains the network address of the computer in which the antivirus is installed. In the case of a firewall, therefore in the case of a protection device that monitors connections between pairs of network devices, i.e. transmissions of data packets (`` data packet '') from a source device to a destination device, the address field 102 instead contains the network address of the source device. For example, in the case of IP networks, the IP address of the source device is present in the address field 102.

Regarding the result field 103, in the case of an unlawful action it can contain a generic indication of illegality, or it can contain a specific indication of illegality, typically indicative of an action carried out by the protective device itself in response to the € ™ action detected. For example, in the case of firewalls, in the event of an illegal action, the result field 103 may contain an indication relating to the refusal of a packet (â € œrejectâ €), or to the issuance of an alert (â € œalertâ €) by the firewall itself.

Regarding the action field 104, it contains an identifier that allows you to precisely identify the action to which the item corresponds. For example, in the case of an entry generated by a firewall following the detection of a communication via ftp protocol, the action field 104 can contain an identifier relating to the TCP transport protocol (â € œTransport Control Protocolâ €) and to port twenty-one, used by the ftp protocol.

In addition to the aforementioned fields, the items may include further fields (in figure 1 indicated generically with 105), depending on the protection devices that generated them. For example, in the case of firewalls and IDS / IPS systems, the entries include, among other things, an additional address field, containing the network address of the transmission destination device to which the entry refers. In the case of traditional anti-virus, ie operating on the file system of the computer in which it is installed, this additional address field is absent. However, the further address field may be present in the case of antivirus of the (known) type capable of analyzing the content of data packets directed towards the computer itself, in which case the address field 102 contains the network address of the computer in which the antivirus is installed, while the additional address field generally contains a network address of another network device.

Operationally, given a network in which there are different types of protection devices (for example, a plurality of antivirus, one or more firewalls, etc.), each protection device detects and classifies a respective plurality of actions, in a substantially independent manner what is detected by the other protective devices. Furthermore, typically each protection device detects and classifies individual actions, without providing information relating to aggregates of actions, ie information relating to any correlations existing between two or more detected actions. Furthermore, the individual actions are generally classified as lawful and illegal, without it being possible to have information about the seriousness of any illegal actions.

From the point of view of network security, the classification of single actions, and therefore the determination of the illegality of single actions, is not enough to guarantee the security of the network. Rather, the need is felt to have information relating to the occurrence of widespread violations of the rules applied by the network protection devices, as well as information relating to the seriousness of the illegal actions. In detail, the need is felt to have information relating to the occurrence, within the network, of so-called anomalies, meaning by anomaly the occurrence of a set of violations of rules, i.e. of illegal actions, with timescales and gravity settable in advance.

The problems described are only partially solved by some recent IT security systems, which can be connected to the network and are configured to interface with the network protection devices, periodically download the logs and provide statistical analysis of the information collected. On the basis of this statistical information, it is then possible to identify, for example, the repetition of a certain type of illegal action, detected by one or more protective devices.

However, these security systems use large data bases (â € œdatabasesâ €), into which they periodically pour the contents of the logs downloaded from the protection devices, in view of the subsequent analysis. Therefore, these systems make use of additional elements (databases) with respect to the network to be monitored, which are extremely expensive, due to the large amount of data they must contain. To this is added the fact that the times of writing and accessing the data contained in the databases make the operations carried out by these security systems particularly slow.

Furthermore, since they rely on databases, known security systems do not process the content of each log in a continuous flow (â € œon-lineâ €), that is, as soon as this content is available, but rather they analyze the data contained in the databases in subsequent instants of time, with consequent delays in the analysis of the data. It follows that, when a first processing of the database content is started, for example at a given Tstart instant, the data contained in the database is processed at the Tstart instant, without it being possible to process the data received during the first processing. itself, subsequently to the instant Tstart. In order to also analyze these data, it is necessary to start a new processing, subsequent to the first processing, which will have as its object not only these data received during the first processing, but also the data contained in the database at the Tstart instant, therefore already object of the first elaboration.

Finally, to carry out the analyzes, the known security systems use a quantity of computational resources that typically depend on the quantity of data contained in the databases, that is, they perform a number of operations depending on the number of input data (the entries) to be analyzed.

The purpose of the present invention is to provide a method for detecting anomalies in a communication network and a network device which allow to solve at least in part the drawbacks of the known art.

According to the present invention, a method for detecting anomalies in a communication network, a protection device implementing this method and a software product are provided, as defined, respectively, in claims 1, 33 and 34.

For a better understanding of the invention, embodiments are now described, purely by way of non-limiting example and with reference to the attached drawings, in which:

- figure 1 shows a structure of an entry of a log according to the known art;

Figure 2 schematically shows a data structure according to the present invention;

Figure 3 schematically shows a structure of a cell of a data structure according to the present invention;

Figure 4 shows a flow diagram of a search function relating to a data structure according to the present invention;

figure 5 shows a flow diagram of an erasing function relating to a data structure according to the present invention;

figure 6 shows a flow diagram of an updating function relating to a data structure according to the present invention;

figure 7 shows a flow diagram of an insertion function relating to a data structure according to the present invention;

Figure 8 shows a flow diagram of an embodiment of the present anomaly detection method;

Figure 9 schematically shows a structure of a metadata according to the present invention;

Figure 10 shows a flow chart of verification operations, according to the present invention;

Figures 11a, 11b and 12 schematically show cell structures of data structures according to the present invention;

Figures 13-15 show flow diagrams of data structure updating operations, according to the present invention.

As described in detail below, the present method of identifying anomalies in a communication network provides, broadly speaking, to acquire entries generated by one or more protection devices in response to corresponding actions detected by the protection devices themselves, and, for each of these items, generate a corresponding metadata (described in detail below), aggregate the metadata into one or more data structures on the basis of a set of information contained in the metadata, and determine the presence of one or more anomalies on the basis of content of these data structures.

The data structures used in the embodiments of the present invention are of the type shown in Figure 2. In detail, a data structure 200 comprises a number D (in the example of Figure 2, D = 3) of tables 201, each table 201 being formed by a respective plurality of cells 202, arranged on a number H (in the example of figure 2, H = 4) of rows 203 and a number W (in the example of figure 2, W = 8) of columns 204, which respectively represent the height and width of the table 201. For convenience of description, and without loss of generality, it is assumed that the height H and the width W of each table, as well as the position of the tables 201 within a data structure 200, are measured with respect to the reference system shown in figure 2. Furthermore, in order to be able to individually identify all the cells 202 of a data structure 200, a first, a second and a third index are assumed, respectively named as d, h and w, and aven The function is to indicate, respectively, tables 201 and, within each table 201, rows 203 and columns 204 of cells 202.

Each cell 202 has three fields, illustrated in Figure 3 and also described in greater detail below: a footprint field 301, containing an Fcl footprint; a time stamp field 302, containing a time stamp Tcl; and a data field 303, adapted to contain data.

Operationally, aggregating the metadata in a data structure 200 of the type shown in figure 2 means that the cells 202 of the data structure are selected on the basis of portions of metadata, which are referred to as aggregation elements (hereinafter, for the sake of brevity, elements) , and may contain information relating to several metadata, having the same elements. In other words, a relationship is established between the elements and the indices h and w of each table 201 of the data structure 200. Therefore, the data structure 200 is indexed as a function of the elements.

As regards, instead, the content of cells 202, it is made up of information that can be deduced from the metadata, as will be clarified later, once the metadata themselves have been described in greater detail.

Access to a data structure can occur when it is necessary: a) to search for the presence of a cell 202 that is not empty (occupied) and indicated by an element, this cell 202 containing information relating to the element, or rather information relating to one or more metadata acquired and all having this element; b) deleting the content of a cell 202 indicated by an element of a metadata; c) updating a cell 202 occupied and indicated by an element of a metadata, with whose information the cell 202 is to be updated; d) inserting information relating to a metadata in a cell 202 indicated by an element of the metadata and previously empty. In the following, for the sake of brevity, operations a-d) will be referred to respectively as the search, insertion, cancellation and updating functions of an element, implying the reference to the relative cell 202.

By way of example, if it is necessary, given an element X of a metadata, to search for a corresponding cell 202 of a data structure (function a), the operations illustrated in figure 4 are carried out. here that the metadata to which the element X refers contains a time instant Tm, described in detail below together with other information contained in the metadata itself, not relevant for the purposes of the operations described here.

In detail, a so-called hash function is calculated (block 401), having as argument the element X, and providing as output a string having a predetermined number of bits, which is referred to in the following as the Xkey key. Preferably, the hash function is a function belonging to a class of functions known per se and known as universal hash functions, described for example in J. Carter, M.Wegman, â € œUniversal classes of hash functionsâ €, Journal of Computer and System Sciences Vol. 18 Issue 2 (April 1979) 143-154.

Subsequently, (block 402) as many permutations of the key Xkey as the tables of the data structure are calculated (in the example of figure 2, three), for example by means of per se known pseudorandom algorithms.

Therefore, from each permutation Pisi determine, Simone BONGIOVANNI 16 <(Albo Registration nr. 615 / BM)> by extraction, a first and a second substring (block 403), which is referred to in the following as column index C and imprint Fi . In detail, the column indexes Ci have a number ncdi bits sufficient to index all the columns 204 of the tables 201, thus depending on the width W of the tables 201 themselves. In the case of the data structure 200 illustrated in Figure 2, since the width W is equal to eight, column indices C of three bits are required, which can be obtained by selecting, for example, the first three bits of each permutation Pi. The footprints Fi have a number nF of bits, preferably between 1 and nk-nc, so that there are no bits in common between each fingerprint F and the corresponding column index Ci.

At the end of the described operations, there is a number D of pairs of column indices Cie of footprints Fi, each pair being relative to a respective table 201 of the data structure 200. In other words, given an element, one has D indices of column Cie of D footprints Fi, each column index Cie each corresponding footprint F being valid only for the respective table 201.

Operationally, the column indices indicate, within the respective table 201, in which column 204 the searched cell 202 can be found. Regarding the footprints Fi, since it is possible that the operations referred to in blocks 401-403, although carried out on different elements, generate, in relation to one or more tables 201, the same column indices Ci (collisions), uses Fiper fingerprints to minimize the risk that two or more different elements indicate the same cell 202, as explained below.

Again with reference to figure 4, one searches (block 404), within tables 201, a candidate cell, that is, a cell occupied and belonging to a column of a table indicated by the column index Cir relating to the table . In detail, we consider the cells of each table 201 belonging to the first row and indicated by the respective column indices Ci, starting for example from the table furthest to the left, that is, with the lowest index d (similar considerations apply if starting from table furthest to the right, that is, with greater index d). In other words, within the table with lower index d, the cell lying on the first row and belonging to the column indicated by the column index Ciassociato to that table is considered; if this cell is empty, the operation is repeated in relation to the following table 201, and so on, until the tables 201 are exhausted, in which case the second row is passed, and so on until the € ™ height H of the data structure 200, in which case (NO output of block 404) the search ends without result.

If a candidate cell is identified (output YES of block 404), the time stamp Tcld of the candidate cell is compared (block 405) with the time instant Tm of the metadata.

If the time stamp Tcl is subsequent to the time instant Tm (output SI of block 405), an exception is generated and operations are interrupted; in fact, the exception indicates that a metadata has been acquired whose time instant Tm is older than the time stamp Tcl, which is impossible if it is assumed that the protection devices that generate the logs have synchronized time bases (and increasing). Vice versa (output NO of block 405), it occurs (block 406) if the difference between the time instant Tm and the time stamp Tcl is greater than a persistence time Tp, which can be set a priori.

If Tm-Tcl> Tp occurs (YES output of block 406), the content of the candidate cell is deleted (block 407); vice versa, in the event that Tm-Tcl <= Tp (output NO of block 406) occurs, the imprint Fcl contained in the candidate cell is compared (block 408) with the imprint Firelative to table 201 to which the candidate cell belongs .

If the imprint Fcl contained in the candidate cell is different from the imprint Fi (NO output of block 408), it means that the identified candidate cell does not actually correspond to element X, therefore one returns to block 404, for search for a new candidate cell, continuing the search as described above.

Conversely, if the imprint Fcl contained in the candidate cell is equal to the imprint Fi (SI output of block 408), it means that inside the data structure 200 there is actually a cell 202 indicated by element X, i.e. corresponding to element X. In particular, the cell corresponding to element X is arranged on a column 204 of a table 201 of the data structure 200, column 204 being indicated by the column index Cirelative to table 201, and contains the corresponding imprint Fi; moreover, cell 202 has time stamp Tcl included in the interval [Tm-Tp, Tm].

In a very similar way to that described in relation to the search for an element (function a), it is possible to delete, update and insert elements (functions b-d) inside a data structure 200.

For example, as shown in figure 5, in addition to the operations described in relation to figure 4 (blocks 401-408), the cancellation of an element X provides for the cancellation, if present, of the corresponding cell 202, which means an operation cancellation of cell 202 (block 409), subsequent to the YES output of block 408. If the corresponding cell 202 is not present (NO output of block 404), the cancellation is superfluous. For practical purposes, deleting an element is equivalent to searching for the corresponding cell 202 and, if present, deleting its content.

Similarly, if an element needs to be updated, proceed as shown in figure 6. In detail, proceed in the same way as described in figure 4, with particular reference to blocks 401-408, in order to search for the Inside the data structure 200 the corresponding cell 202, the content of which must be updated. If the corresponding cell 202 (output YES of block 408) is found, the corresponding cell 202 (block 410) is updated, and in particular the content of the data field 303 is updated. the search does not produce results (output NO of block 404), it is not possible to proceed with the update (block 411).

Finally, if an element X is to be inserted, proceed as illustrated in figure 7. In detail, proceed in the same way as described in respect of figure 4, with particular reference to blocks 401-408, so as to search if inside the data structure 200 there is already a cell corresponding to the element X to be inserted, in which case (output YES of block 408) it is not possible to insert.

Vice versa, if inside the data structure 200 there is no cell corresponding to element X (output NO of block 404), one proceeds to insert the element (block 412). To this end, the D columns 204 indicated by the column indices Ci (determined in blocks 401-403) are considered, these D columns 204 belonging to respective tables 201, and the first unoccupied cell 202 of column 204 having fewer cells is selected. occupied 202. For example, counting rows from the bottom selects the non-empty cell 202 with the lowest row index h. In the event that there are several columns 204 with a minimum number of occupied cells 202, select, for example and without loss of generality, the leftmost table cell within the data structure 200, that is, with reference to the Figure 2, the table with the lowest table index d. Furthermore, the insertion foresees that, inside the selected cell 202, the imprint Fin in the imprint field 301, the time instant Tm in the timestamp field 302, and information contained in the metadata in the field of data 303. Note that, as previously said, the footprint Fid depends on the selected cell 202, or rather on the table 201 to which the selected cell 202 belongs; in fact, of the D Reliable footprints for element X, the Firelating footprint is inserted in the table 201 to which the selected cell 202 belongs.

On the basis of the functions a-d) described, it is obtained that each non-empty cell 202 contains a respective timestamp T indicative of the most recent data entry in cell 202 itself, i.e. the time instant Tmm stored in cell 202 the most recent time in which you have entered data in the cell (previously empty).

Furthermore, it should be noted that in all the functions a-d relating to data structures, each time a cell 202 is accessed, that is, each time a non-empty cell 202 is identified (output SI of block 404), one proceeds to verify that the difference between the time instant Tm of the metadata to which the element refers and the time stamp Tcl does not exceed the persistence time Tp (block 406), under penalty of cancellation of the contents of cell 202 (block 407). Operationally, this means deleting the contents of cells 202 if the time stamp Tcl is older than the persistence time Tp with respect to the time instant Tm. In this way, the data structures 200 do not require further deletion or emptying operations. In fact, once the number of tables 201, the number of rows 203 and the number of columns 204 have been set during the configuration phase, by appropriately dimensioning the persistence time Tp, it is possible to acquire entries (i.e. metadata) in a continuous flow, without verify the total filling, and the consequent subsequent loss of data, of the data structures 200.

Note also that the functions a-d) require a number of operations which does not depend on the number of items to be analyzed, but on the size of each table 201 (in particular on the number of rows 203), and on the number of tables 201, that is ̈ by parameters established during the configuration phase. Therefore, the worst case involves a number of operations established in the configuration phase and constant. Note that the worst case occurs when you search for a cell 202 placed in the table furthest to the right (or, further to the left, if you search starting from the table furthest to the right) and in the row with row index h equal to H , that is the last line.

Having said all this, Figure 8 shows an embodiment of the present method of identifying anomalies, comprising the steps, described in detail below, of acquiring an entry (block 801), generating (block 802) a metadata on the basis of this voice; subsequently, check (block 803) if the metadata is a duplicate metadata (described in detail below); if it is a duplicate metadata (YES output of block 803), acquire a new entry (block 801) and iterate the operations carried out in blocks 802-803, vice versa (NO output of block 803) perform three updates (blocks 804, 805 and 806), respectively of three data structures of the type described above, and subsequently iterate the operations referred to in block 801.

In detail, the step 802 of generating, starting from an item, the corresponding metadata is also known as â € œnormalizationâ €, as it allows to create, starting from a first entity (the item) whose format depends on the type of the protection device that generated it, that is, starting from an entity that has fields in number and format depending on the protection device that generated it, a second entity (the metadata), which has fields predetermined. Therefore, the metadata thus created act as data descriptors (the entries), ie data superstructures that allow the comparison between the entries, even when the entries are generated by different types of protection devices.

As shown in figure 9, given an entry generated by a protection device following the detection of an action, the corresponding metadata has the following fields:

- a temporal instant field 901, in which the previously mentioned temporal instant Tm is inserted and equal to the content of the temporal value field 101 of the item, so that the metadata contains a temporal instant associated with the action;

- a first address field 902 and a second address field 903, containing respectively a first and a second network address, already contained in the item and relating to respective network devices, whether they are protection devices or not;

- a field of lawfulness 904, containing an indication relating to the lawfulness or illegality of the action;

- an event field 905, containing an event identifier (event ID), determined according to the action, in this case according to the content of the action field 104 of the item, possibly associating the same event ID to different actions, such as described below;

- a 906 weight field, containing an indicative weight of the importance to be attributed to a corresponding event, as described below.

By way of further clarification about the first and second address fields 902, 903, two examples are given, respectively relating to the case of a voice generated by a firewall in response to a transmission of a data packet from a source device to a target device, and in the case of a voice generated by an antivirus.

In the case of the firewall, the first address field 902 contains the network address of the source device, contained in the address field 102 of the item, while the second address field 903 contains the network address of the destination device, contained in the additional address field of the entry.

In the case of antivirus, two cases must be distinguished: if the entry contains the additional address field, the first address field 902 is set equal to the address field 102 of the entry, and the second address field 903 Ã ̈ set equal to the additional address field of the item; vice versa, and that is, if the entry has the address field 102, but not the further address field, both the first address field 902 and the second address field 903 are set equal to this address field 102.

As regards the field of lawfulness 904, if the result field 103 of the item contains an indication of lawfulness, it contains an indication of lawfulness. Conversely, that is, in the event of an unlawful action, regardless of whether the result field 103 contains a generic indication of illegality, or a specific indication of illegality, the lawfulness field 904 contains the same indication of illegality.

As regards, instead, the event field 905, the determination of the event ID according to the action follows criteria that can be set at will, for example in a configuration phase of this method, designed to define a number of criteria useful to implement this method. Therefore, different actions can generate metadata with the same event ID, ie they can be considered as the same event. For example, considering three actions relating, respectively, to the transmission of three data packets using the UDP protocol, but on three different ports of a target device, it is possible to associate the same event ID to all three of the aforementioned actions, in the event that we want to consider the three actions as equivalent from a safety point of view. Conversely, a virus detection action may advantageously be associated with a different event ID, as it is not equivalent, for security purposes, to the three actions described above. Again by way of example, and again with reference to the case of the transmission of three data packets using the UDP protocol, it is possible to associate three different event IDs to the three actions, each event ID being formed by the concatenation of the UDP protocol with the respective port.

Similarly, the determination of the weight to be entered in the weight field 906 follows criteria that can be set at will, for example during the aforementioned configuration phase. By way of example, the weights can be assigned in such a way as to be indicative of the importance to be assigned to the corresponding events. For example, there may be criteria which envisage, in the event of unlawful events, assigning higher weights the more the unlawful events are considered dangerous for safety purposes; in this case, for example, associating a null weight to an event ID means considering the corresponding event irrelevant for security purposes. Note also that, given a metadata, the meaning assumed by the weight depends on the content of the field lawfulness 904, ie on the fact that the action to which the metadata refers has been considered lawful or unlawful. In particular, in the event of an unlawful event, the weight is indicative of the seriousness of the event, vice versa it is indicative of how much the event is to be considered indicative of the absence of unlawful actions.

It should also be noted that the meaning of the indication contained in the field of lawfulness 904, originating from the action to which the metadata refers, is then applied to the event represented by the metadata itself. For simplicity, in the following we will refer to lawful metadata (and events) and illegal metadata (and events), depending on the contents of the respective lawfulness fields 904.

Again with reference to figure 8, after the generation of the metadata (block 802), the subsequent block 803 provides, in order to verify whether the metadata is a duplicate metadata, to search for the aforementioned metadata within a first or second data structure, of the type described above and respectively named ASM_OK and ASM_KO.

Operationally, as shown in Figure 10, an element is extracted (block 1001) from the metadata, indicated here with X1, comprising the contents of the first and second address fields 902, 903, and of the event field 905. Subsequently, it is determined (block 1002) if the metadata is lawful or not, that is, the content of the lawfulness field 904 of the metadata is examined. If the metadata is legal (YES output of block 1002), the metadata is searched in the ASM_OK data structure, vice versa (NO output of block 1002) the metadata is searched in the ASM_KO data structure.

In detail, the cells of the data structures ASM_OK and ASM_KO respectively have the formats illustrated in Figures 11a and 11b. In particular (figure 11a), the cells of the data structure ASM_OK have, in addition to the fields of footprint 301 and time stamp 302 already described, the data field 303 (figure 3) consisting of a positive weight field 304 (â € œweight OKâ €). Instead, as shown in figure 11b, the cells of the data structure ASM_KO have, in addition to the already described fields of footprint 301 and time stamp 302, the data field 303 (figure 3) consisting of a negative weight field 305 (â € œweight KOâ €).

Operationally, in case of lawful metadata (YES output of block 1002), the steps shown again in figure 10 are carried out. 1003), after setting an indicator (â € œflagâ €) to zero (operation not shown).

If the search does not produce results (output NO of block 1003), the flag is set to one (operation not shown), and the element X1 is inserted inside the data structure (block 1004), by means of the function d) previously described; in particular, the imprint Fi, the time instant Tmed and the weight are entered in the corresponding cell, respectively in the imprint 301, timestamp 302 and positive weight 304 fields. Subsequently, a weight is determined (block 1005) total Pt1, obtained by adding the content of the weight field 906 of the metadata, that is the weight, with the content of the positive weight field 304 of the cell.

If the search identifies a corresponding occupied cell (YES output of block 1003), the operations of block 1005 are carried out directly.

Subsequently, the total weight Pt1 is compared (block 1006) with a PMOK threshold, which can be set statically (for example, during the configuration phase), or dynamically.

If the total weight Pt1 is lower than the PMOK threshold (NO output of block 1006), the data structure ASM_OK is updated (block 1007), by means of function c) and so that the positive weight field 304 of the cell is placed equal to the total weight Pt1.

If the total weight Pt1 is higher than the PMOK threshold (output YES of block 1006), the flag is set equal to zero (operation not shown), and element X1 is deleted from the ASM_OK data structure (block 1008), by means of function b) previously described.

In both cases (blocks 1007, 1008) a check of the value of the flag is then carried out (block 1009), described in detail below.

In case of illicit metadata (NO output of block 1002), the X1 element is searched inside the ASM_KO data structure (block 1010), after setting the flag to zero (operation not shown).

If the search does not produce results (output NO of block 1010), the flag is set to one (operation not shown), and the element X1 is inserted inside the data structure ASM_KO (block 1011), by means of function d) previously described; in particular, the imprint Fi, the time instant Tmed and the weight are entered in the corresponding cell, respectively in the imprint 301, timestamp 302 and negative weight 305 fields. Subsequently, a weight is determined (block 1012) total Pt2, obtained by adding the content of the weight field 906 of the metadata, that is the weight, with the content of the negative weight field 305 of the cell.

If the search identifies a corresponding occupied cell (YES output of block 1010), the operations referred to in block 1012 are carried out directly.

Subsequently, the total weight Pt2 is compared (block 1013) with a PMKO threshold, which can be set statically (for example, during the configuration phase), or dynamically.

If the total weight Pt2 is lower than the PMKO threshold (NO output of block 1013), the data structure ASM_KO is updated (block 1014), by means of function c) and so that the negative weight field 305 of the cell is placed equal to the total weight Pt2.

If the total weight Pt2 is higher than the PMKO threshold (YES output of block 1013), the flag equal to zero is set (operation not shown) and an anomaly is signaled (block 1015) associated with element X1, therefore by the triad formed by the first and second network address, and by the event ID. The signaling of the anomaly includes, in addition to the element X1, the content of the negative weight field 305, which can be used as an indicator of the severity of the anomaly, and a detection time interval, starting with the time stamp Tcldella cell and the time instant Tm as the end. Subsequently, element X1 is deleted from the ASM_KO data structure (block 1016) by means of function b) previously described.

In both cases (blocks 1014 and 1016), the flag value is then checked (block 1009).

In particular, if the flag is null (output SI of block 1009), it means that it is a duplicate metadata. Conversely, and that is, if the flag is equal to one (output NO of block 1009), it means that it is a non-duplicated metadata, which is also referred to in the following as root metadata.

In detail, the operations referred to in block 803 are such that a metadata is considered as a duplicate whose first address 902, second address 903, lawfulness 904 and event 905 fields are equal to the corresponding fields of a previously received metadata and still present in a data structure (alternatively, the data structure ASM_OK or ASM_KO), that is a metadata whose element X1 is still present in a data structure (ASM_OK or ASM_KO), indicating a corresponding occupied cell. A metadata is instead considered as a root metadata if it is neither present in the ASM_OK data structure nor in the ASM_KO data structure, and has a weight not exceeding the PMOK threshold (in the case of lawful metadata), or the PMKO threshold ( in case of illegal metadata).

Operationally, assuming to acquire at the instant T0 a root metadata, all the metadata with fields of first and second address 902, 903, of lawfulness 904 and of event 905 equal to the corresponding fields of the root metadata, and received in an interval of time immediately following the instant T0e having a duration equal to the persistence time Tp, ie having temporal instants Tm included in the interval [T0, T0 + Tp], are discarded. In fact, as shown in Figure 8, in the case of duplicated metadata (YES output of block 803), the metadata is not processed further, but a new entry is acquired (block 801).

However, it should be noted that the operations carried out in blocks 1005, 1006 and 1007 ensure that the repetition, within the persistence time Tp, of duplicate metadata, legal and with weights such that the total weight Pt1 exceeds the PMOK threshold, causes the cancellation of element X1 (block 1008). Consequence of the cancellation of the X1 element is the fact that any subsequent lawful metadata having the same fields of first and second address 902, 903, of event 905, and with a weight lower than the PMOK threshold, will be considered not duplicated, and therefore not it will be discarded, but it will be processed as described below.

Similarly, the operations carried out in blocks 1012, 1013 and 1014 ensure that the repetition, within the persistence time Tp, of duplicate and illegal metadata with weights such that the total weight Pt2 exceeds the PMKO threshold, causes the reporting of an anomaly (block 1015), as well as the deletion of the element X1 (block 1016). Consequence of the cancellation of the X1 element is the fact that any subsequent illegal metadata having the same first and second address fields 902, 903, and event 905, and with a weight lower than the PMKO threshold, will be considered not duplicated, and therefore it will not be discarded, but will be processed as described below.

It should also be noted that the operations referred to in blocks 1003, 1004, 1007, 1008 and 1010, 1011, 1014, 1016, and the consequent accesses to cells occupied by the data structures ASM_OK and ASM_KO, involve the cancellation (see blocks 406 and 407) of the cells with time stamps Tcl older, with respect to the time instant Tm, by a time greater than or equal to the persistence time Tp, so as to avoid the complete filling of the data structures ASM_OK and ASM_OK, and the consequent impossibility of manage metadata acquired after the aforementioned filling.

Since the operations referred to in blocks 1004, 1007, 1008, 1011, 1014 and 1016 intrinsically provide for search operations, therefore operations already carried out in blocks 1003 and 1010 (calculation of hash functions, calculation of permutations Pie determination of indices of the Cie column of the Fi footprints, search for an occupied cell, etc.), to avoid duplication of operations, it is possible to implement, in a per se known way, storage mechanisms (â € œcachingâ €) of the column indexes Cie of the footprints Fidetermined during the operations of blocks 1003 and 1010. For example, in the event that a search of one of the blocks 1003 and 1010 finds a corresponding cell, it is possible to store the corresponding column index Cie the respective footprint Fi, as well as that the table in which the cell is located, in order to make this information immediately available to subsequent blocks, such as blocks 1007 and 1008, or 1014 and 1016.

Also note how it is possible to check if a metadata is duplicated or rooted in a different way from what is described, for example by assigning different values to the flag, or by using data structures and controls different from what is described, in a way per se known. What is relevant for the purposes of the present invention is the possibility of distinguishing between duplicate metadata and root metadata.

Again with reference to Figure 8, in the case where the metadata is a root metadata (NO output of block 803), the metadata is used to update three data structures, respectively named FSC, FDC and FEC (blocks 804-806). In the rest of this document, when reference is made to metadata with which the FSC, FDC and FEC data structures are updated, i.e. to metadata used in the operations referred to in blocks 804-806, it is implied that such metadata is root metadata .

Each of the aforementioned data structures FSC, FDC and FEC is formed by cells of the type shown in Figure 12, therefore comprising, in addition to the already described fields of footprint 301 and time stamp 302, a data field 303 formed by a weight field lawful 306 and a field of illegal weight 307, functionally analogous to the fields of positive weight 304 and negative weight 305, respectively of the cells of the data structures ASM_OK and ASM_KO.

As shown in Figure 13, to update the FSC data structure (block 804) an element, called X2, is extracted (block 1301) from the metadata, comprising the content of the first address field 902 of the metadata. Subsequently, the values of two thresholds, called FSC threshold and d-FSC decision threshold, are set (block 1302). These thresholds can be set dynamically, therefore they can vary at each update of the FSC data structure, or they can be set statically, for example during the configuration phase, and remain unchanged during the execution of this method.

Then the element X2 is searched inside the FSC data structure (block 1303), by means of the function a) previously described.

If element X2 is not present in the FSC data structure (output NO of block 1303), the element X2 is inserted into the internal FSC data structure (block 1304), using function d). In particular, the imprint Fie is entered in the cell corresponding to the element X2 and the time instant Tm, respectively in the imprint 301 and timestamp 302 fields. (contained in the weight field 906 of the metadata) in the lawful weight field 306 of the cell, initializing the illegal weight field 307 to zero; vice versa, in the case of illegal metadata, the weight is entered in the illegal weight field 307 of the cell, initializing the lawful weight field 306 to zero. Subsequently, the operations are terminated.

Vice versa (output YES of block 1303), that is, if there is a cell corresponding to element X2, two quantities are calculated (block 1305): a positive total weight Ptp_FSC and a negative total weight Ptn_FSC. In detail, in the case of lawful metadata, the total positive weight Ptp_FSC is given by the sum of the weight of the metadata with the content of the lawful weight field 306 of the cell; instead, the total negative weight Ptn_FSC is given by the content of the illegal weight field 307 of the cell. In case of illegal metadata, the total positive weight Ptp_FSC is given by the content of the legal weight field 306 of the cell; instead, the total negative weight Ptn_FSC is given by the sum of the weight of the metadata with the content of the illegal weight field 307 of the cell.

Subsequently, it is checked (block 1306) whether the sum of the total positive weight Ptp_FSC and the total negative weight Ptn_FSC exceeds the decision threshold d-FSC.

In the event that this sum exceeds the decision threshold d-FSC (output SI of block 1306), it occurs (block 1307) if the ratio between the total negative weight Ptn_FSC and the aforementioned sum exceeds the FSC threshold.

If the ratio between the total negative weight Ptn_FSC and the sum of the total positive weight Ptp_FSC and the total negative weight Ptn_FSC actually exceeds the FSC threshold (SI output of block 1307), an anomaly (block 1308) associated with the element X2, therefore associated with the first network address. The reporting of the anomaly includes, in addition to the element X2, the content of the illegal weight field 307, which can be used as an indicator of the severity of the anomaly, and a detection time interval, starting with the content of the mark temporal Tcld of the cell and the temporal instant Tm as the end. Subsequently, by means of function b) previously described, element X2 is deleted from the FSC data structure (block 1309).

Vice versa, if the ratio between the total negative weight Ptn_FSC and the sum of the total positive weight Ptp_FSC and the total negative weight Ptn_FSC is lower than the FSC threshold (NO output of block 1307), it occurs (block 1310) if the ratio between the weight total positive Ptp_FSCe the sum of the total positive weight Ptp_FSC and the total negative weight Ptn_FSC exceeds the FSC threshold. If the ratio between the total positive weight Ptp_FSC and the sum of the total positive weight Ptp_FSCe and the total negative weight Ptn_FSC exceeds the FSC threshold (output SI of block 1310), one proceeds to carry out the operations of block 1309, i.e. to cancel the € ™ element X2from the FSC data structure. Vice versa (output NO of block 1310), the cell corresponding to element X2 (occupied) is updated (block 1311) by means of function c) previously described, in such a way that the legal weight range 306 and the weight range illicit 307 of the cell corresponding to element X2 are set equal, respectively, to the total positive weight Ptp_FSC and the total negative weight Ptn_FSC.

If the sum of the total positive weight Ptp_FSC and the total negative weight Ptn_FSC does not exceed the d-FSC decision threshold (NO output of block 1306), one proceeds directly to carry out the operations of block 1311, i.e. to update the cell corresponding to the € ™ element X2 in such a way that the legal weight range 306 and the illegal weight range 307 are set equal, respectively, to the total positive weight Ptp_FSC and the total negative weight Ptn_FSC.

Similarly to what has been described in relation to the FSC data structure, the updating of the FDC data structure takes place as shown in figure 14.

In detail, to update the data structure FDC (block 805) an element, called X3, comprising the content of the second address field 903 of the metadata is extracted (block 1401) from the metadata. Subsequently, the values of two thresholds are set (block 1402), respectively called threshold FDC and decision threshold d-FDC. These thresholds can be set dynamically, therefore they can vary at each update of the FDC data structure, or they can be set statically, for example during the configuration phase, and remain unchanged during the execution of this method.

Then the element X3 is searched inside the data structure FDC (block 1403), by means of the function a) previously described.

If element X3 is not present in the data structure FDC (output NO of block 1403), the element X3 is inserted into the internal data structure FDC (block 1404), by means of function d) previously described. In particular, the imprint Fie is entered in the cell corresponding to the element X3 and the time instant Tm, respectively in the imprint fields 301, with time stamp 302. Furthermore, in the case of lawful metadata, the weight of the metadata is entered (contained in the weight field 906 of the metadata) in the lawful weight field 306 of the cell, initializing the illegal weight field 307 to zero; vice versa, in the case of illegal metadata, the weight is entered in the illegal weight field 307 of the cell, initializing the lawful weight field 306 to zero. Subsequently, the operations are terminated.

Vice versa (output YES of block 1403), that is, if there is a cell corresponding to element X3ed occupied, two quantities are calculated (block 1405): a positive total weight Ptp_FDC and a negative total weight Ptn_FDC. In detail, in the case of lawful metadata, the total positive weight Ptp_FDC is given by the sum of the weight of the metadata with the content of the lawful weight field 306 of the cell; instead, the total negative weight Ptn_FDC is given by the content of the illegal weight field 307 of the cell. In case of illegal metadata, the total positive weight Ptp_FDC is given by the content of the legal weight field 306 of the cell; instead, the total negative weight Ptn_FDC is given by the sum of the weight of the metadata with the content of the illegal weight field 307 of the cell.

Subsequently, it is checked (block 1406) whether the sum of the positive total weight Ptp_FDC and the negative total weight Ptn_FDC exceeds the decision threshold d-FDC.

In the event that this sum exceeds the decision threshold d-FDC (output SI of block 1406), it occurs (block 1407) if the ratio between the total negative weight Ptn_FDC and the aforementioned sum exceeds the threshold FDC. If the ratio between the total negative weight Ptn_FDC and the sum of the total positive weight Ptp_FDC and the total negative weight Ptn_FDC actually exceeds the FDC threshold (SI output of block 1407), an anomaly (block 1408) associated with the element X3, therefore associated with the second network address. The reporting of the anomaly includes, in addition to the element X3, the content of the illegal weight field 307, which can be used as an indicator of the severity of the anomaly, and a detection time interval, starting with the time stamp Tcldella cell and the time instant Tm as the end. Subsequently, by means of function b) previously described, element X3 is deleted from the data structure FDC (block 1409). Vice versa, if the ratio between the negative total weight Ptn_FDC and the sum of the positive total weight Ptp_FDC and the negative total weight Ptn_FDC is lower than the FDC threshold (NO output of block 1407), it occurs (block 1410) if the ratio between the weight positive total weight Ptp_FDCe the sum of the positive total weight Ptp_FDC and the negative total weight Ptn_FDC exceeds the FDC threshold. If the ratio between the total positive weight Ptp_FDC and the sum of the total positive weight Ptp_FDC and the total negative weight Ptn_FDC exceeds the FDC threshold (output SI of block 1410), one proceeds to carry out the operations of block 1409, i.e. to cancel the € ™ element X3from the FDC data structure. Vice versa (NO output of block 1410), the cell corresponding to element X3 (and occupied) is updated (block 1411) by means of function c) previously described, in such a way that the lawful weight range 306 and the illicit weight 307 of the cell corresponding to element X3 are set equal, respectively, to the total positive weight Ptp_FDC and the total negative weight Ptn_FDC.

If the sum of the total positive weight Ptp_FDC and the total negative weight Ptn_FDC does not exceed the d-FSC decision threshold (NO output of block 1406), one proceeds directly to carry out the operations of block 1411, i.e. to update the cell corresponding to the € ™ element X3 in such a way that the legal weight field 306 and the illegal weight field 307 are set equal, respectively, to the total positive weight Ptp_FDC and to the total negative weight Ptn_FDC.

Similarly to what has been described in relation to the FSC and FDC data structures, the updating of the FEC data structure takes place as shown in figure 15.

In detail, to update the FEC data structure (block 806) an element, called X4, is extracted (block 1501) from the metadata, comprising the content of the event field 905 of the metadata, ie the event ID. Subsequently, the values of two thresholds are set (block 1502), respectively called FEC threshold and d-FEC decision threshold. These thresholds can be set dynamically, therefore they can vary at each update of the FEC data structure, or they can be set statically, for example during the configuration phase, and remain unchanged during the execution of this method.

Then the element X4 is searched inside the data structure FEC (block 1503), by means of the function a) previously described.

If the X4 element is not present in the FEC data structure (NO output of block 1503), the X4 element is inserted into the internal FEC data structure (block 1504). In particular, the imprint Fie is entered in the cell corresponding to element X4 and the time instant Tm, respectively in the imprint fields 301, with time stamp 302. Furthermore, in the case of lawful metadata, the weight of the metadata is entered (contained in the weight field 906 of the metadata) in the lawful weight field 306 of the cell, initializing the illegal weight field 307 to zero; vice versa, in the case of illegal metadata, the weight is entered in the illegal weight field 307 of the cell, initializing the lawful weight field 306 to zero. Subsequently, the operations are terminated.

Vice versa (output YES of block 1503), that is, if there is a cell corresponding to the element X4ed occupied, two quantities are calculated (block 1505): a positive total weight Ptp_FEC and a negative total weight Ptn_FEC. In detail, in the case of lawful metadata, the total positive weight Ptp_FEC is given by the sum of the weight of the metadata with the content of the lawful weight field 306 of the cell; instead, the total negative weight Ptn_FEC is given by the content of the illegal weight field 307 of the cell. In case of illegal metadata, the total positive weight Ptp_FEC is given by the content of the legal weight field 306 of the cell; instead, the total negative weight Ptn_FEC is given by the sum of the weight of the metadata with the content of the illegal weight field 307 of the cell.

Subsequently, it is checked (block 1506) whether the sum of the positive total weight Ptp_FECe and the negative total weight Ptn_FEC exceeds the decision threshold d-FEC.

If this sum exceeds the decision threshold d-FEC (output SI of block 1506), it occurs (block 1507) if the ratio between the total negative weight Ptn_FEC and the aforementioned sum exceeds the threshold FEC. If the ratio between the total negative weight Ptn_FEC and the sum of the total positive weight Ptp_FEC and the total negative weight Ptn_FEC actually exceeds the FEC threshold (output SI of block 1507), an anomaly (block 1508) associated with the element X4, therefore associated with the event ID. The reporting of the anomaly includes, in addition to the element X4, the content of the illegal weight field 307, which can be used as an indicator of the severity of the anomaly, and a detection time interval, starting with the time stamp Tcldella cell and the time instant Tm as the end. Subsequently, by means of function b) previously described, element X4 is deleted from the FEC data structure (block 1509). Vice versa, if the ratio between the negative total weight Ptn_FEC and the sum of the positive total weight Ptp_FEC and the negative total weight Ptn_FEC is lower than the FEC threshold (NO output of block 1507), it occurs (block 1510) if the ratio between the weight positive total weight Ptp_FECe the sum of the positive total weight Ptp_FEC and the negative total weight Ptn_FEC exceeds the FEC threshold. If the ratio between the total positive weight Ptp_FEC and the sum of the total positive weight Ptp_FEC and the total negative weight Ptn_FEC exceeds the FEC threshold (output SI of block 1510), one proceeds to carry out the operations of block 1509, i.e. to cancel the € ™ element X4 from the FEC data structure. Vice versa (output NO of block 1510), the cell corresponding to element X4 (occupied) is updated (block 1511) by means of function c) previously described, in such a way that the legal weight range 306 and the weight range illicit 307 of the cell corresponding to element X4 are set equal, respectively, to the total positive weight Ptp_FEC and the total negative weight Ptn_FEC.

If the sum of the total positive weight Ptp_FEC and the total negative weight Ptn_FEC does not exceed the d-FSC decision threshold (NO output of block 1506), one proceeds directly to carry out the operations of block 1511, i.e. to update the cell corresponding to the € ™ element X4 in such a way that the legal weight field 306 and the illegal weight field 307 are set equal, respectively, to the total positive weight Ptp_FEC and to the total negative weight Ptn_FEC.

Note that even in the case of the FSC, FDC and FEC data structures, as already in the case of the ASM_OK and ASM_KO data structures, the search operations for elements in the aforementioned data structures (blocks 1303, 1403, 1503) and the consequent access to cells occupied, imply the cancellation (see blocks 406 and 407) of non-empty cells with older timestamps Tcl, with respect to the time instant Tm of the metadata whose element is being searched for, of a time greater than or equal to the persistence time Tp . In this way, the filling of the FSC, FDC and FEC data structures is avoided, and the consequent inability to manage items acquired after filling. Furthermore, the use of the persistence time Tpc allows, once an element has been inserted in a cell, to specify a time duration window equal to the persistence time Tp, within which any anomalies relating to this element are detected.

Since the operations referred to in blocks 1304, 1309, 1311, 1404, 1409, 1411, 1504, 1509 and 1511 intrinsically involve search operations, therefore operations already carried out in blocks 1303, 1403 and 1503 (calculation of the hash functions , calculation of the permutations Pi, determination of the column indices Cie of the footprints Fi, iterative search of an occupied cell, subsequent verification of the time stamp Tcle comparison with the contained Fclivi footprint), to avoid the duplication of operations it is possible to implement mechanisms for storing the Cie column indices of the Fidetermined footprints during the operations of blocks 1303, 1403 and 1503. For example, in the event that a search for one of the blocks 1303, 1403 or 1503 finds a corresponding cell, it is possible to store the corresponding column index Cie the respective imprint Fi, as well as the table in which the cell is located, in order to make this information immediately available to the following blocks. For example, in the case of the search referred to in block 1303, such information can be provided to blocks 1304, 1309, 1311, so that it is possible to proceed directly to insert (1304), update (1311) or delete (1309) the element considered. Similar considerations apply to the searches carried out in blocks 1403 and 1503, and the subsequent blocks 1404, 1409, 1411 and 1504, 1509, 1511.

It should also be noted that the operations referred to in blocks 804-806 can be performed in series or in parallel. Less performing, but more computationally agile, embodiments are also possible, in which the operations of only one or two blocks selected from the blocks 804-806 are carried out.

Operationally, the FSC, FDC and FEC data structures are indexed using, respectively, the first network address, the second network address and the event ID. Therefore, the metadata (root) are aggregated within the aforementioned data structures on the basis, respectively, of the first network address, the second network address and the event ID, unlike what happens in the case of data structures ASM_OK and ASM_KO, in which the metadata are aggregated according to the triad including the first network address, the second network address and the event ID.

In other words, and with reference by way of example to the FSC data structure, of each metadata what is relevant (apart from the lawfulness and weight fields) is the first address field 902. In practice, the event to which the metadata refers, whose lawfulness and weight of which are specified respectively in the lawfulness field 904 and weight 906, is considered as an action performed by the network device whose address is contained in the first address field 902, regardless of the type of action, ie the event ID, and the presence of any further network device involved in the action, ie without considering the second address field 903. Therefore, the information associated with different metadata, but provided with the same first address field 902, therefore originating from the same element X2, they are aggregated in a single cell of the FSC data structure. It follows that the eventual signaling of an anomaly (block 1308) indicates that the network device specified by the element X2 has performed, in a time interval at most equal to the persistence time Tp, a certain number of illegal actions , out of a total of actions performed by this network device, as established by the FSC threshold and the d-FSC decision threshold. For example, the network device specified by the X2 element may have attacked a certain target device with actions resulting in different event IDs, or it may have attacked multiple target devices, all with actions resulting in the same event ID, or it may have attacked multiple target devices, each with a respective action, the event IDs of those respective actions being different. Again by way of example, if criteria for determining event IDs are chosen such that each event ID is formed by the concatenation of the protocol and port used by the corresponding action, it can be assumed that the attacks described above refer respectively to cases in which the network device specified by the X2 element has attacked a certain target device with different protocol-port combinations, or has attacked multiple target devices, all with the same protocol-port combination, or each with a respective protocol-port pair.

Similar considerations apply to the FDC and FEC data structures, and to the second network address and the event ID, respectively.

Therefore, with regard to the FDC data structure, an eventual signaling of an anomaly (block 1408) indicates that the network device specified by the element X3, and therefore by the second network address, has been involved in a time interval at most equal to the persistence time Tp, in a certain number of illegal actions, out of a total of actions in which this network device was involved, as established by the FDC threshold and the d-FDC decision threshold. For example, the network device specified by the X3 element may have been attacked by a single source device with a plurality of actions resulting in different event IDs, or it may have been attacked by a plurality of source devices with actions resulting in the same ID event, or it may have been attacked by a plurality of source devices with a corresponding plurality of actions, each action resulting in a respective event ID.

Similarly, with regard to the FEC data structure, a possible report of an anomaly (block 1508) indicates that the event specified by the X4 element, and therefore by the event ID, has been repeated illegally a certain number of times within a time interval at most equal to the persistence time Tp, out of a total of times this event has occurred, as established by the FEC threshold and the d-FEC decision threshold. For example, assuming by way of example an event concerning the establishment of a connection on a port, therefore assuming criteria for determining the event IDs such that each event ID is formed by the port contained in the action field 104 of the item, such event may have been caused by the connection of a plurality of source devices on that port of a single target network device, or it may have been caused by the connection of a single source device with a plurality of target devices, always on that port; again, the event may have been caused by the connection of a plurality of source devices to a corresponding plurality of destination network devices, always on this port.

It should also be noted that, considering reports of anomalies determined on the basis of the content of the FSC, FDC and FEC data structures, it is possible to identify relationships between different reports of anomalies, and to obtain further information about the presence and type of possible attacks. For example, a hypothetical situation in which a source device repeatedly tries to illicitly establish connections with a target device, on different ports of the target device, leads to two distinct anomaly reports, respectively based on the FSC data structure and the FDC data structure. . The two signals allow to identify, independently, the source device and the destination device. However, assuming that the same persistence time Tp has been set for both the FSC and FDC data structures, that the FSC and FDC thresholds are the same, as well as the decision thresholds d-FSC and d-FDC, by examining the detection time intervals of the two reports it is possible to establish a correlation between the two anomalies, providing more information to a hypothetical user in charge of monitoring the network.

On the basis of what has been described, it follows that this method makes it possible to detect and, therefore, to report anomalies, ie violations of rules to be considered serious for safety purposes. In particular, this method makes it possible to identify source devices, target devices and events that repeatedly violate rules, so as to allow the preparation of corrective actions. At the same time, this method provides the time interval for detecting each anomaly, that is, the time interval in which the violations occurred.

It should also be noted that, by keeping inside the cells of the FSC, FDC and FEC data structures information relating to lawful actions, respectively carried out by source devices, directed towards target devices, or relating to events, it allows to link lawful actions and illegal. More specifically, by relating the number of lawful actions to the number of illegal actions, a more sophisticated criterion for reporting anomalies is available than the mere calculation of illegal actions.

As regards the discernment between duplicate and non-duplicated metadata, it allows to avoid that a simple malfunction, which typically gives rise to a plurality of actions having the same triad formed by the first and second address, and by the event ID, from generate an anomaly report. In any case, the threshold mechanism implemented through the use of the total weight Pt2, and the use of the PMKO threshold, makes it possible to report an anomaly in the event that the actions generated by this alleged malfunction are illegal, repeated in a time interval equal to the persistence time Tp, and with weights such that the total weight Pt2 exceeds the PMOK threshold. In this case, the anomaly therefore concerns a single event, between a single source device and a single destination network device.

Operationally, this method can be adapted to the needs of the network in which it is applied. For example, it is possible to statically or dynamically dimension the data structures ASM_OK, ASM_KO, FSC, FDC and FEC, and in particular the number of tables D, the number of columns W and the number of rows H of each these data structures, as a function of the number of entries, and therefore of metadata, per unit of time that is expected to be managed.

Similarly, it is possible to set the thresholds FSC, FDC and FEC and the decisional thresholds d-FSC, d-FDC and d-FEC, as well as the criteria with which to assign the weights of the events, according to the sensitivity that you want to have on the events themselves. Similarly, it is possible to set (statically or dynamically) the PMOK and PMKO thresholds, as well as to choose the persistence time Tp, according to the desired sensitivity towards the single actions, that is, of the single metadata. Furthermore, it is possible to adopt different persistence times Tp for the different data structures (ASM_OK, ASM_KO, FSC, FDC and FEC).

This method can be advantageously implemented in an electronic device connected to other protection devices, in such a way as to be able to receive logs from the protection devices, the methods and times with which the electronic device acquires the logs from the protection devices being in first position. irrelevant approximation. For example, the electronic device can periodically establish connections with the protection devices, in order to retrieve the logs; alternatively, and again by way of example, each protection device can, as soon as the writing of its own log ends, send the log itself to the electronic device. In order to optimize the performance of the method, it is preferable that the protection devices have synchronized time bases in first approximation, in order to avoid the generation of exceptions.

This method can also be implemented inside a protection device, processing directly on the logs created by the protection device itself. In this case, the time base is only one, so it is not possible for exceptions to be generated.

Finally, it is evident that modifications and variations can be made to what is described and illustrated herein, without departing from the scope of the present invention.

By way of example, and with regard to the generation of the metadata 802, the content of the first and second address fields 902, 903 may be different from what is described. Furthermore, in the event that the entry does not contain any address field 102 per se, as for example in the case of some antivirus of the type configured to operate on a computer not necessarily connected to the network, if it is still possible to determine the network address of this computer, it is possible to insert this network address in the first and / or second address field 902, 903. Similarly, if the item does not contain the result field 103, for example because the protection device that generated it does not classify the detected actions, the lawfulness field 904 can be set arbitrarily, by inserting an indication of lawfulness or illegality.

As regards, instead, the tables of the data structures, except that the number of bits of the column indexes C must be sufficient to index all the columns of the tables, the number of bits of the Xkey key can be chosen in order to optimize the memory occupation and the number of collisions to manage.

Similarly, instead of calculating, for each element, a hash function and then calculating as many permutations as there are tables of the data structure in which, for example, one wants to search for the element, it is possible to calculate as many different hash functions as are the tables. Again, in place of hash functions, it is possible to employ other types of functions, functionally analogous to hash functions.

Regarding the data structures, instead of the ASM_OK and ASM_KO data structures, it is possible to use a single data structure, whose cells have a data field formed by a legal weight field and an illegal weight field, similar to what happens in case of the FSC, FDC and FEC data structures. In this case, it is however possible to implement controls similar to those obtained through the operations referred to in blocks 1002, 1010, 1011, 1012, 1013, 1014 and 1015.

Furthermore, embodiments are possible in which the deletion of a cell implies that, if there are non-empty cells belonging to the same column 204 of the deleted cell, and with row index h higher than the row index h of the deleted cell, the content (imprint, time stamp and data) of each of these non-empty cells is copied into the respective cell below, so that the columns 204 of the tables 201 do not have empty cells overlaid by occupied cells.

Still on the subject of data structures, it is possible to foresee additional operations in case you want to insert an element in the presence of a full data structure. For example, it is possible to foresee the overwriting of the cell with the oldest Tcl timestamp. Furthermore, the management of the time stamp field of the cells can be different; for example, whenever a cell is updated, the timestamp can be updated.

Again, in blocks 1307 and 1310 it is possible to use two different thresholds, instead of the FSC threshold. Similar considerations are valid in the cases of blocks 1407 and 1410, and 1507 and 1510. It is also possible to use different persistence times Tp for the FSC, FDC and FEC structures.

Finally, it is possible not to distinguish (block 803) between root and duplicate metadata, but to update the FSC, FDC and FEC data structures in any case. By doing so, a greater quantity of anomaly reports is generated, but a greater sensitivity is obtained with respect to individual illegal actions.

1. Method for detecting anomalies in a communication network comprising at least one protection device configured to detect actions carried out within said network and generate corresponding items, said method comprising the steps of:

- acquiring (801) said items and implementing at least one data structure (200), said at least one data structure comprising a plurality of cells (202);

- for each item, generating (802) a corresponding metadata, said corresponding metadata comprising a first plurality of fields (901-906); And

- updating (804,805,806) said at least one data structure on the basis of update metadata among the corresponding generated metadata, said updating phase comprising the phase of selecting (404,408) cells of said at least one data structure on the basis of at least one update field of said update metadata, said update field belonging to said first plurality of fields;

and in which said cells (202) of said at least one data structure (200) each comprise a second plurality of fields (301-307), said second plurality of fields comprising a fingerprint field (301) configured to contain a fingerprint (Fcl), and form a number of tables (201), each table being formed by a plurality of rows (203) and a plurality of columns (204), and in which said step of selecting (404,408) cells of said at least one data structure on the basis of at least one update field of said update metadata includes, for each of said update metadata, the steps of:

- generating (401-403) as a function of said at least one update field a number of indices (Ci) and a number of footprints (Fi) equal to said number of tables;

- associating each index and each imprint to a respective table of said number of tables;

- search (404, 408) for a corresponding cell, said corresponding cell belonging to a specific column of a specific table of said number of tables, said specific column being indicated by the index associated with said specific table, the imprint field of said corresponding cell containing the footprint associated with said specific table.

2. Anomaly detection method according to claim 1, wherein said step of generating (401-403) as a function of said at least one update field (902,903,905) a number of indices (Ci) and a number of impressions (Fi) comprises the step of calculating (401) a hash function having as argument called at least one update field, and providing a key.

3. Anomaly detection method according to claim 2, further comprising the step of calculating (402) a number of permutations of said key equal to said number of tables (201), and the step of determining on the basis of each of said permutations a respective index and a respective footprint.

An anomaly detection method according to any claim from 1 to 3, wherein said first plurality of fields (901-906) comprises a time instant field (901) configured to contain a time instant (Tm), and in which said second plurality of fields (301-307) further comprises a time stamp field (302) configured to contain a time stamp (Tcl), said step of updating said at least one data structure further comprising the step of erasing obsolete cells between said cells of said at least one data structure, as a function of time stamps contained in said obsolete cells and of time instants contained in said update metadata.

An anomaly detection method according to claim 4, wherein said first plurality of fields (901-906) further comprises a first address field (902), a second address field (903) and an event field (905 ); and in which said step of generating (802) for each item a corresponding metadata comprises the step of determining according to said item a first network address, a second network address and an event identifier, and the step of entering said first network address, said second network address and said event identifier respectively in said first address field, in said second address field and in said event field of said corresponding metadata.

6. An anomaly detection method according to claim 5, wherein said at least one update field comprises one or more fields selected from: said first address field (902), said second address field (903) and said event field (905).

An anomaly detection method according to claim 6, wherein said first plurality of fields further comprises a lawfulness field (904) and a weight field (906); and in which said step of generating (802) for each item a corresponding metadata further comprises the step of determining, as a function of said item, a weight and, alternatively, an indication of lawfulness or an indication of illegality, and the step to insert said weight in said weight field of said corresponding metadata, and alternatively the indication of lawfulness or the indication of illegality in said field of lawfulness of said corresponding metadata.

8. Anomaly detection method according to claim 7, further comprising the step of determining whether each of said corresponding generated metadata is, alternatively, of the duplicate or root type, a generic duplicate type metadata having the first address field (902 ), the second address field (903), the event field (905) and the lawfulness field (904) equal, respectively, to the first address field, the second address field, the event field and the lawfulness of a respective root type metadata, said root type metadata having been generated previously to the generic duplicate type metadata, the time instant (Tm) of the generic duplicate type metadata being between the time instant of the respective root type metadata and a persistence limit equal to the sum of said time instant of said respective root type metadata and a first persistence time; and wherein said update metadata is made up of root type metadata.

An anomaly detection method according to claim 7 or 8, wherein said step of implementing at least one data structure (200) comprises implementing a first (FSC), a second (FDC) and a third (FEC) data structure, called first, second and third data structures being formed, respectively, by a first number of source tables, by a second number of destination tables and by a third number of event tables, each source table comprising a plurality of source cells , each destination table comprising a plurality of destination cells, and each event table comprising a plurality of event cells, each cell of said source cells, said destination cells and said event cells comprising a field of lawful weight (306) and an illegal weight field (307).

An anomaly detection method according to claim 9, wherein said step of selecting cells of said at least one data structure on the basis of at least one update field of said update metadata comprises the steps of selecting first source cells of said first data structure on the basis of the first address field (902) of said update metadata, select first destination cells of said second data structure on the basis of the second address field (903) of said update metadata, and select first event cells of said third data structure on the basis of said event field (905) of said update metadata.

An anomaly detection method according to claim 10, wherein said step of selecting first source cells on the basis of the first address field of said update metadata comprises, for each of said update metadata:

- generating in function of said first address field (902) a number of source indices (Ci) and a number of source fingerprints (Fi) equal to said first number of source tables;

- associating each source index and each source fingerprint to a respective source table;

- search (1303) a corresponding source cell (â € œcorresponding source cellâ €), said corresponding source cell belonging to a column of a specific source table, said column being indicated by the source index associated with said specific table source, the fingerprint field (301) of said corresponding source cell containing the source fingerprint associated with said specific source table.

An anomaly detection method according to claim 11, wherein said step of updating said at least one data structure comprises, for each update metadata:

- in the event that said step of searching (1303) a corresponding source cell does not produce results: identify a first insertion cell (â € œfirst insertion cellâ €) belonging to a source column (â € œsource columnâ €) of a certain source table (â € œspecific source tableâ €) of said first data structure, said source column being indicated by the source index associated with said certain source table; inserting the time instant (Tm) of the update metadata in said timestamp field (302) of said first insertion cell; inserting the source footprint associated with said certain source table in the footprint field of said first input cell; and furthermore, in the case of an update metadata with a lawfulness field (904) containing the indication of lawfulness, enter (1304) in the lawful weight field of said first entry cell the weight of said update metadata, vice versa enter the weight of said update metadata in the illegal weight field of said first input cell;

- if said step of searching for a corresponding source cell identifies said corresponding source cell, calculate (1305) a first positive total weight (Ptp_FSC) and a first negative total weight (Ptn_FSC), said first positive total weight being a function , in the case of an update metadata with a field of lawfulness containing the indication of lawfulness, of the sum of the weight of the update metadata with the weight contained in the lawful weight field of said corresponding source cell, and function, in the case of metadata update with lawfulness field containing the indication of illegality, of the weight contained in the lawful weight field of said corresponding source cell; said first negative total weight being a function, in the case of an update metadata with a field of lawfulness containing the indication of illegality, of the sum of the weight of the update metadata with the weight contained in the field of illegal weight of said corresponding source cell, and function, in the case of an update metadata with a field of lawfulness containing the indication of lawfulness, of the weight contained in the field of illegal weight of said corresponding source cell.

An anomaly detection method according to claim 12, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- if said step of searching (1303) for a corresponding source cell identifies said corresponding source cell, check (1306) whether a first sum of said first positive total weight (Ptp_FSC) and said first negative total weight (Ptn_FSC) exceeds a first threshold (d-FSC THRESHOLD);

- in the event that said first sum is lower than said first threshold, update (1311) said corresponding source cell, by inserting said first positive total weight and said first negative total weight respectively in the lawful weight field (306) and in the field of illegal weight (307) of said corresponding source cell.

Anomaly detection method according to claim 13, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- if said first sum is higher than said first threshold (d-FSC THRESHOLD), check (1307) if a first ratio between said first negative total weight (Ptn_FSC) and said first sum exceeds a second threshold (FSC THRESHOLD) ;

- in the event that said first ratio exceeds said second threshold, generate (1308) an anomaly signal.

Anomaly detection method according to claim 14, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- if said first ratio does not exceed said second threshold (FSC THRESHOLD), checking (1310, 1410) if a second ratio between said first positive total weight (Ptp_FSC) and said first sum exceeds a third threshold;

- in the event that said second ratio exceeds said third threshold, cancel (1311) said corresponding source cell.

Anomaly detection method according to claim 15, wherein said update step (804,805,806) said at least one data structure (200) comprises, for each update metadata:

- in the event that said first ratio is lower than said second threshold, and said second ratio is lower than said third threshold, update (1311) said corresponding source cell, inserting said first positive total weight (Ptp_FSC) and said first total weight negative (Ptn_FSC) respectively in said lawful weight range (306) and in said illegal weight range (307) of said corresponding source cell.

An anomaly detection method according to any claim from 10 to 16, wherein said step of selecting first destination cells on the basis of the second address field comprises, for each of said update metadata:

- generating a function of said second address field (903) a number of destination indexes and a number of destination fingerprints equal to said second number of destination tables;

- associate each target index and each target footprint to a respective target table;

- search (1403) for a corresponding destination cell, said corresponding destination cell belonging to a column of a specific destination table, said column being indicated by the destination index associated with said specific destination table, the imprint field of said corresponding destination cell containing the destination footprint associated with said specific destination table.

18. An anomaly detection method according to claim 17, wherein said step of updating said at least one data structure comprises, for each update metadata:

- in the event that said step of searching (1403) a corresponding destination cell does not produce results: identifying a second insertion cell belonging to a destination column of a certain destination table of said second data structure, said destination column being indicated by the destination index associated with said certain destination table; inserting the time instant of said update metadata in said time stamp field (302) of said second insertion cell; inserting the target footprint associated with said certain target table in the footprint field of said second entry cell; and furthermore, in the case of an update metadata with a lawfulness field (904) containing the indication of lawfulness, enter (1404) in the lawful weight field of said second entry cell the weight of said update metadata, vice versa enter the weight of said update metadata in the illegal weight field of said second input cell;

- if said step of searching for a corresponding destination cell identifies said corresponding destination cell, calculate (1405) a second positive total weight (Ptp_FDC) and a second negative total weight (Ptn_FDC), said second positive total weight being a function , in the case of an update metadata with a field of lawfulness containing the indication of lawfulness, the sum of the weight of the update metadata with the weight contained in the lawful weight field of said corresponding destination cell, and function, in the case of metadata update with lawfulness field containing the indication of illegality, of the weight contained in the lawful weight field of said corresponding destination cell; said second negative total weight being a function, in the case of an update metadata with a field of lawfulness containing the indication of illegality, of the sum of the weight of the update metadata with the weight contained in the illegal weight field of said corresponding destination cell, and function, in the case of an update metadata with a field of lawfulness containing the indication of lawfulness, of the weight contained in the field of illegal weight of said corresponding destination cell.

An anomaly detection method according to claim 18, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- if said step of searching (1403) for a corresponding destination cell identifies said corresponding destination cell, check (1406) whether a second sum of said second positive total weight (Ptp_FDC) and said second negative total weight (Ptn_FDC) exceeds a fourth threshold (THRESHOLD d-FDC);

- in the event that said second sum is lower than said fourth threshold, update (1411) said corresponding destination cell, by inserting said second positive total weight and said second negative total weight respectively in the lawful weight field (306) and in the field of illicit weight (307) of said corresponding destination cell.

An anomaly detection method according to claim 19, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- in the event that said second sum is higher than said fourth threshold (THRESHOLD d-FDC), check (1407) if a third ratio between said second negative total weight (Ptn_FDC) and said second sum exceeds a fifth threshold (THRESHOLD FDC) ;

- in the event that said third ratio exceeds said fifth threshold, generate (1408) an anomaly signal.

An anomaly detection method according to claim 20, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- if said third ratio does not exceed said fifth threshold (THRESHOLD FDC), check (1410) whether a fourth ratio between said second positive total weight (Ptp_FDC) and said second sum exceeds a sixth threshold;

- if said fourth ratio exceeds said sixth threshold, cancel (1411) said corresponding destination cell.

An anomaly detection method according to claim 21, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- in the event that said third ratio is lower than said fifth threshold, and said fourth ratio is lower than said sixth threshold, update (1411) said corresponding destination cell, inserting said second positive total weight (Ptp_FDC) and said second total weight negative (Ptn_FDC) respectively in said lawful weight range (306) and in said illegal weight range (307) of said corresponding destination cell.

An anomaly detection method according to any claim from 10 to 22, wherein said step of selecting first event cells on the basis of the event field (905) comprises, for each of said update metadata:

generating a function of said event field, a number of event indices and a number of event marks equal to said third number of event tables;

- associate each event index and each event footprint to a respective event table;

- search (1503) for a corresponding event cell, said corresponding event cell belonging to a column of a specific event table, said column being indicated by the event index associated with said specific event table, the imprint field of said corresponding event cell containing the event imprint associated with said specific event table.

24. Anomaly detection method according to claim 23, wherein said step of updating said at least one data structure comprises, for each update metadata:

- in the event that said step of searching (1503) for a corresponding event cell does not produce results: identifying a third input cell belonging to an event column of a certain event table of said third data structure, said event column being indicated by the event index associated with said certain event table; inserting the time instant of said update metadata in said timestamp field (302) of said third insertion cell; inserting the event footprint associated with said certain event table in the footprint field of said third entry cell; and furthermore, in the case of an update metadata with a lawfulness field (904) containing the indication of lawfulness, enter (1504) in the lawful weight field of said third entry cell the weight of said update metadata, vice versa enter the weight of said update metadata in the illegal weight field of said third input cell;

- if said step of searching for a corresponding event cell identifies said corresponding event cell, calculate (1505) a third positive total weight (Ptp_FEC) and a third negative total weight (Ptn_FEC), said third positive total weight being a function , in the case of update metadata with lawfulness field containing the indication of lawfulness, of the sum of the weight of the update metadata with the weight contained in the lawful weight field of said corresponding event cell, and function, in case of metadata update with lawfulness field containing the indication of illegality, of the weight contained in the lawful weight field of said corresponding event cell; said third negative total weight being a function, in the case of an update metadata with a field of lawfulness containing the indication of illegality, of the sum of the weight of the update metadata with the weight contained in the illegal weight field of said corresponding event cell, and function, in case of update metadata with lawfulness field containing the indication of lawfulness, of the weight contained in the illegal weight field of said corresponding event cell.

An anomaly detection method according to claim 24, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- if said step of searching (1503) for a corresponding event cell identifies said corresponding event cell, check (1506) whether a third sum of said third positive total weight (Ptp_FEC) and said third negative total weight (Ptn_FEC) exceeds a seventh threshold (d-FEC THRESHOLD);

- in the event that said third sum is lower than said seventh threshold, update (1511) said corresponding event cell, by inserting said third positive total weight and said third negative total weight respectively in the lawful weight field (306) and in the field of illicit weight (307) of said corresponding event cell.

An anomaly detection method according to claim 25, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each non-duplicated metadata:

- in the event that said third sum is higher than said seventh threshold (THRESHOLD d-FEC), check (1507) if a fifth ratio between said third negative total weight (Ptn_FEC) and said third sum exceeds an eighth threshold (FEC THRESHOLD) ;

- in the event that said fifth ratio exceeds said eighth threshold, generate (1508) an anomaly signal.

Anomaly detection method according to claim 26, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata:

- if said fifth ratio does not exceed said eighth threshold (FEC THRESHOLD), check (1510) whether a sixth ratio between said third positive total weight (Ptp_FEC) and said third sum exceeds a ninth threshold;

- in the event that said sixth ratio exceeds said ninth threshold, cancel (1511) said corresponding event cell.

An anomaly detection method according to claim 27, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each non-duplicated metadata:

- in the event that said fifth ratio is lower than said eighth threshold, and said sixth ratio is lower than said ninth threshold, update (1511) said corresponding event cell, inserting said third positive total weight (Ptp_FEC) and said third total weight negative (Ptn_FEC) respectively in said lawful weight range (306) and in said illegal weight range (307) of said corresponding event cell.

29. Anomaly detection method according to any claim from 9 to 28, wherein said step of erasing obsolete cells of said at least one data structure comprises the step of erasing obsolete cells between said source cells, destination cells and event cells , said obsolete cells having a time stamp (Tcl) older than the time instant of a considered update metadata, by a time at least equal to a second persistence time (Tp).

30. Anomaly detection method according to any claim from 8 to 29, further comprising the step of generating (1015) a preliminary anomaly signal in the event that entries are acquired in a predetermined time interval such that the corresponding metadata are of the duplicate type with respect to the same respective root type metadata, have lawfulness fields (904) containing the indication of illegality, and have weights whose sum exceeds a preliminary threshold.

31. Protection device configured to connect to a communication network and implement the anomaly detection method according to any one of claims 1 to 30.

32. Software product loadable into a memory of a network device and configured to implement, when executed, the anomaly detection method according to any one of claims 1 to 30.

TITLE: METHOD FOR DETECTION OF ANOMALIES IN A COMMUNICATION NETWORK AND NETWORK DEVICE IMPLEMENTING THIS METHOD

SUMMARY

A method for detecting anomalies in a communication network is described, inside which there is at least one protection device, which detects actions carried out within the network and generates corresponding entries. The method provides for the steps of acquiring (801) the items and implementing at least one data structure (200) formed by a plurality of cells (202). Furthermore, the method provides for the steps of generating, for each item, a corresponding metadata, formed by a first plurality of fields (901-906); and updating (804,805,806) the at least one data structure on the basis of update metadata among the corresponding generated metadata. The update step includes selecting (404,408) cells of the at least one data structure based on at least one update metadata update field.

Claims (33)

CLAIMS 1. Method for detecting anomalies in a communication network comprising at least one protection device configured to detect actions carried out within said network and generate corresponding items, said method comprising the steps of acquiring (801) said items and implementing at least a data structure (200), said at least one data structure comprising a plurality of cells (202); characterized by the fact of further understanding the phases of: - for each item, generating (802) a corresponding metadata, said corresponding metadata comprising a first plurality of fields (901-906); - updating (804,805,806) said at least one data structure on the basis of update metadata among the corresponding generated metadata, said updating phase comprising the phase of selecting (404,408) cells of said at least one data structure on the basis of at least one update field of said update metadata, said update field belonging to said first plurality of fields. Anomaly detection method according to claim 1, wherein said cells (202) of said at least one data structure (200) each comprise a second plurality of fields (301-307), said second plurality of fields comprising a field of footprint (301) configured to contain a footprint (Fcl), and form a number of tables (201), each table being formed by a plurality of rows (203) and a plurality of columns (204), and in which it dictates step of selecting (404,408) cells of said at least one data structure on the basis of at least one update field of said update metadata comprises, for each of said update metadata, the steps of: - generating (401-403) as a function of said at least one update field a number of indices (Ci) and a number of footprints (Fi) equal to said number of tables; - associating each index and each imprint to a respective table of said number of tables; - search (404, 408) for a corresponding cell, said corresponding cell belonging to a specific column of a specific table of said number of tables, said specific column being indicated by the index associated with said specific table, the imprint field of said corresponding cell containing the footprint associated with said specific table. 3. Anomaly detection method according to claim 2, wherein said step of generating (401-403) as a function of said at least one update field (902,903,905) a number of indices (Ci) and a number of impressions (Fi) comprises the step of calculating (401) a hash function having as argument called at least one update field, and providing a key. 4. Anomaly detection method according to claim 3, further comprising the step of calculating (402) a number of permutations of said key equal to said number of tables (201), and the step of determining on the basis of each of said permutations a respective index and a respective footprint. An anomaly detection method according to any claim from 2 to 4, wherein said first plurality of fields (901-906) comprises an instant in time field (901) configured to contain a time instant (Tm), and in which said second plurality of fields (301-307) further comprises a time stamp field (302) configured to contain a time stamp (Tcl), said step of updating said at least one data structure further comprising the step of erasing obsolete cells between said cells of said at least one data structure, as a function of time stamps contained in said obsolete cells and of time instants contained in said update metadata. An anomaly detection method according to claim 5, wherein said first plurality of fields (901-906) further comprises a first address field (902), a second address field (903) and an event field (905 ); and in which said step of generating (802) for each item a corresponding metadata comprises the step of determining according to said item a first network address, a second network address and an event identifier, and the step of entering said first network address, said second network address and said event identifier respectively in said first address field, in said second address field and in said event field of said corresponding metadata. 7. Anomaly detection method according to claim 6, wherein said at least one update field comprises one or more fields selected from: said first address field (902), said second address field (903) and said event field (905). An anomaly detection method according to claim 7, wherein said first plurality of fields further comprises a lawfulness field (904) and a weight field (906); and in which said step of generating (802) for each item a corresponding metadata further comprises the step of determining, as a function of said item, a weight and, alternatively, an indication of lawfulness or an indication of illegality, and the step to insert said weight in said weight field of said corresponding metadata, and alternatively the indication of lawfulness or the indication of illegality in said field of lawfulness of said corresponding metadata. 9. Anomaly detection method according to claim 8, further comprising the step of determining whether each of said corresponding generated metadata is, alternatively, of the duplicate or root type, a generic duplicate type metadata having the first address field (902 ), the second address field (903), the event field (905) and the lawfulness field (904) equal, respectively, to the first address field, the second address field, the event field and the lawfulness of a respective root type metadata, said root type metadata having been generated previously to the generic duplicate type metadata, the time instant (Tm) of the generic duplicate type metadata being between the time instant of the respective root type metadata and a persistence limit equal to the sum of said time instant of said respective root type metadata and a first persistence time; and wherein said update metadata consists of root type metadata. 10. Anomaly detection method according to claim 8 or 9, wherein said step of implementing at least one data structure (200) comprises implementing a first (FSC), a second (FDC) and a third (FEC) data structure, called first, second and third data structures being formed, respectively, by a first number of source tables, by a second number of destination tables and by a third number of event tables, each source table comprising a plurality of source cells , each destination table comprising a plurality of destination cells, and each event table comprising a plurality of event cells, each cell of said source cells, said destination cells and said event cells comprising a field of lawful weight (306) and an illegal weight field (307). An anomaly detection method according to claim 10, wherein said step of selecting cells of said at least one data structure on the basis of at least one update field of said update metadata comprises the steps of selecting first source cells of said first data structure on the basis of the first address field (902) of said update metadata, select first destination cells of said second data structure on the basis of the second address field (903) of said update metadata, and select first event cells of said third data structure on the basis of said event field (905) of said update metadata. An anomaly detection method according to claim 11, wherein said step of selecting first source cells on the basis of the first address field of said update metadata comprises, for each of said update metadata: - generating in function of said first address field (902) a number of source indices (Ci) and a number of source fingerprints (Fi) equal to said first number of source tables; - associating each source index and each source fingerprint to a respective source table; - search (1303) a corresponding source cell (â € œcorresponding source cellâ €), said corresponding source cell belonging to a column of a specific source table, said column being indicated by the source index associated with said specific table source, the fingerprint field (301) of said corresponding source cell containing the source fingerprint associated with said specific source table. An anomaly detection method according to claim 12, wherein said step of updating said at least one data structure comprises, for each update metadata: - in the event that said step of searching (1303) a corresponding source cell does not produce results: identify a first insertion cell (â € œfirst insertion cellâ €) belonging to a source column (â € œsource columnâ €) of a certain source table (â € œspecific source tableâ €) of said first data structure, said source column being indicated by the source index associated with said certain source table; inserting the time instant (Tm) of the update metadata in said timestamp field (302) of said first insertion cell; inserting the source footprint associated with said certain source table in the footprint field of said first input cell; and furthermore, in the case of an update metadata with a lawfulness field (904) containing the indication of lawfulness, enter (1304) in the lawful weight field of said first entry cell the weight of said update metadata, vice versa enter the weight of said update metadata in the illegal weight field of said first input cell; - if said step of searching for a corresponding source cell identifies said corresponding source cell, calculate (1305) a first positive total weight (Ptp_FSC) and a first negative total weight (Ptn_FSC), said first positive total weight being a function , in the case of an update metadata with a field of lawfulness containing the indication of lawfulness, of the sum of the weight of the update metadata with the weight contained in the lawful weight field of said corresponding source cell, and function, in the case of metadata update with lawfulness field containing the indication of illegality, of the weight contained in the lawful weight field of said corresponding source cell; said first negative total weight being a function, in the case of an update metadata with a field of lawfulness containing the indication of illegality, of the sum of the weight of the update metadata with the weight contained in the field of illegal weight of said corresponding source cell, and function, in the case of an update metadata with a field of lawfulness containing the indication of lawfulness, of the weight contained in the field of illegal weight of said corresponding source cell. Anomaly detection method according to claim 13, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata: - if said step of searching (1303) for a corresponding source cell identifies said corresponding source cell, check (1306) whether a first sum of said first positive total weight (Ptp_FSC) and said first negative total weight (Ptn_FSC) exceeds a first threshold (d-FSC THRESHOLD); - in the event that said first sum is lower than said first threshold, update (1311) said corresponding source cell, by inserting said first positive total weight and said first negative total weight respectively in the lawful weight field (306) and in the field of illegal weight (307) of said corresponding source cell. Anomaly detection method according to claim 14, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata: - if said first sum is higher than said first threshold (d-FSC THRESHOLD), check (1307) if a first ratio between said first negative total weight (Ptn_FSC) and said first sum exceeds a second threshold (FSC THRESHOLD) ; - in the event that said first ratio exceeds said second threshold, generate (1308) an anomaly signal. Anomaly detection method according to claim 15, wherein said update step (804,805,806) said at least one data structure (200) comprises, for each update metadata: - if said first ratio does not exceed said second threshold (FSC THRESHOLD), checking (1310, 1410) if a second ratio between said first positive total weight (Ptp_FSC) and said first sum exceeds a third threshold; - in the event that said second ratio exceeds said third threshold, cancel (1311) said corresponding source cell. Anomaly detection method according to claim 16, wherein said update step (804,805,806) said at least one data structure (200) comprises, for each update metadata: - in the event that said first ratio is lower than said second threshold, and said second ratio is lower than said third threshold, update (1311) said corresponding source cell, inserting said first positive total weight (Ptp_FSC) and said first total weight negative (Ptn_FSC) respectively in said lawful weight range (306) and in said illegal weight range (307) of said corresponding source cell. 18. Anomaly detection method according to any claim 11 to 17, wherein said step of selecting first destination cells on the basis of the second address field comprises, for each of said update metadata: - generating a function of said second address field (903) a number of destination indexes and a number of destination fingerprints equal to said second number of destination tables; - associate each target index and each target footprint to a respective target table; - search (1403) for a corresponding destination cell, said corresponding destination cell belonging to a column of a specific destination table, said column being indicated by the destination index associated with said specific destination table, the imprint field of said corresponding destination cell containing the destination footprint associated with said specific destination table. An anomaly detection method according to claim 18, wherein said step of updating said at least one data structure comprises, for each update metadata: - in the event that said step of searching (1403) a corresponding destination cell does not produce results: identifying a second insertion cell belonging to a destination column of a certain destination table of said second data structure, said destination column being indicated by the destination index associated with said certain destination table; inserting the time instant of said update metadata in said time stamp field (302) of said second insertion cell; inserting the target footprint associated with said certain target table in the footprint field of said second entry cell; and furthermore, in the case of an update metadata with a lawfulness field (904) containing the indication of lawfulness, enter (1404) in the lawful weight field of said second entry cell the weight of said update metadata, vice versa enter the weight of said update metadata in the illegal weight field of said second input cell; - if said step of searching for a corresponding destination cell identifies said corresponding destination cell, calculate (1405) a second positive total weight (Ptp_FDC) and a second negative total weight (Ptn_FDC), said second positive total weight being a function , in the case of an update metadata with a field of lawfulness containing the indication of lawfulness, the sum of the weight of the update metadata with the weight contained in the lawful weight field of said corresponding destination cell, and function, in the case of metadata update with lawfulness field containing the indication of illegality, of the weight contained in the lawful weight field of said corresponding destination cell; said second negative total weight being a function, in the case of an update metadata with a field of lawfulness containing the indication of illegality, of the sum of the weight of the update metadata with the weight contained in the illegal weight field of said corresponding destination cell, and function, in the case of an update metadata with a field of lawfulness containing the indication of lawfulness, of the weight contained in the field of illegal weight of said corresponding destination cell. An anomaly detection method according to claim 19, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata: - if said step of searching (1403) for a corresponding destination cell identifies said corresponding destination cell, check (1406) whether a second sum of said second positive total weight (Ptp_FDC) and said second negative total weight (Ptn_FDC) exceeds a fourth threshold (THRESHOLD d-FDC); - in the event that said second sum is lower than said fourth threshold, update (1411) said corresponding destination cell, by inserting said second positive total weight and said second negative total weight respectively in the lawful weight field (306) and in the field of illicit weight (307) of said corresponding destination cell. An anomaly detection method according to claim 20, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata: - in the event that said second sum is higher than said fourth threshold (THRESHOLD d-FDC), check (1407) if a third ratio between said second negative total weight (Ptn_FDC) and said second sum exceeds a fifth threshold (THRESHOLD FDC) ; - in the event that said third ratio exceeds said fifth threshold, generate (1408) an anomaly signal. An anomaly detection method according to claim 21, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata: - if said third ratio does not exceed said fifth threshold (THRESHOLD FDC), check (1410) whether a fourth ratio between said second positive total weight (Ptp_FDC) and said second sum exceeds a sixth threshold; - if said fourth ratio exceeds said sixth threshold, cancel (1411) said corresponding destination cell. An anomaly detection method according to claim 22, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata: - in the event that said third ratio is lower than said fifth threshold, and said fourth ratio is lower than said sixth threshold, update (1411) said corresponding destination cell, inserting said second positive total weight (Ptp_FDC) and said second total weight negative (Ptn_FDC) respectively in said lawful weight range (306) and in said illegal weight range (307) of said corresponding destination cell. An anomaly detection method according to any claim 11 to 23, wherein said step of selecting first event cells on the basis of the event field (905) comprises, for each of said update metadata: - generating a function of said event field, a number of event indices and a number of event marks equal to said third number of event tables; - associate each event index and each event footprint to a respective event table; - search (1503) for a corresponding event cell, said corresponding event cell belonging to a column of a specific event table, said column being indicated by the event index associated with said specific event table, the imprint field of said corresponding event cell containing the event imprint associated with said specific event table. An anomaly detection method according to claim 24, wherein said step of updating said at least one data structure comprises, for each update metadata: - in the event that said step of searching (1503) for a corresponding event cell does not produce results: identifying a third input cell belonging to an event column of a certain event table of said third data structure, said event column being indicated by the event index associated with said certain event table; inserting the time instant of said update metadata in said timestamp field (302) of said third insertion cell; inserting the event footprint associated with said certain event table in the footprint field of said third entry cell; and furthermore, in the case of an update metadata with a lawfulness field (904) containing the indication of lawfulness, enter (1504) in the lawful weight field of said third entry cell the weight of said update metadata, vice versa enter the weight of said update metadata in the illegal weight field of said third input cell; - if said step of searching for a corresponding event cell identifies said corresponding event cell, calculate (1505) a third positive total weight (Ptp_FEC) and a third negative total weight (Ptn_FEC), said third positive total weight being a function , in the case of update metadata with lawfulness field containing the indication of lawfulness, of the sum of the weight of the update metadata with the weight contained in the lawful weight field of said corresponding event cell, and function, in case of metadata update with lawfulness field containing the indication of illegality, of the weight contained in the lawful weight field of said corresponding event cell; said third negative total weight being a function, in the case of an update metadata with a field of lawfulness containing the indication of illegality, of the sum of the weight of the update metadata with the weight contained in the illegal weight field of said corresponding event cell, and function, in case of update metadata with lawfulness field containing the indication of lawfulness, of the weight contained in the illegal weight field of said corresponding event cell. Anomaly detection method according to claim 25, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata: - if said step of searching (1503) for a corresponding event cell identifies said corresponding event cell, check (1506) whether a third sum of said third positive total weight (Ptp_FEC) and said third negative total weight (Ptn_FEC) exceeds a seventh threshold (d-FEC THRESHOLD); - in the event that said third sum is lower than said seventh threshold, update (1511) said corresponding event cell, by inserting said third positive total weight and said third negative total weight respectively in the lawful weight field (306) and in the field of illicit weight (307) of said corresponding event cell. Anomaly detection method according to claim 26, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each non-duplicated metadata: - in the event that said third sum is higher than said seventh threshold (THRESHOLD d-FEC), check (1507) if a fifth ratio between said third negative total weight (Ptn_FEC) and said third sum exceeds an eighth threshold (FEC THRESHOLD) ; - in the event that said fifth ratio exceeds said eighth threshold, generate (1508) an anomaly signal. An anomaly detection method according to claim 27, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each updating metadata: - if said fifth ratio does not exceed said eighth threshold (FEC THRESHOLD), check (1510) whether a sixth ratio between said third positive total weight (Ptp_FEC) and said third sum exceeds a ninth threshold; - if said sixth ratio exceeds said ninth threshold, cancel (1511) said corresponding event cell. 29. Anomaly detection method according to claim 28, wherein said step of updating (804,805,806) said at least one data structure (200) comprises, for each non-duplicated metadata: - in the event that said fifth ratio is lower than said eighth threshold, and said sixth ratio is lower than said ninth threshold, update (1511) said corresponding event cell, inserting said third positive total weight (Ptp_FEC) and said third total weight negative (Ptn_FEC) respectively in said lawful weight range (306) and in said illegal weight range (307) of said corresponding event cell. 30. Anomaly detection method according to any claim from 10 to 29, wherein said step of erasing obsolete cells of said at least one data structure comprises the step of erasing obsolete cells between said source cells, destination cells and event cells , said obsolete cells having a time stamp (Tcl) older than the time instant of a considered update metadata, by a time at least equal to a second persistence time (Tp). 31. Anomaly detection method according to any claim from 9 to 30, further comprising the step of generating (1015) a preliminary anomaly signaling in the event that entries are acquired in a predetermined time interval such that the corresponding metadata are of the duplicate type with respect to the same respective root type metadata, have lawfulness fields (904) containing the indication of illegality, and have weights whose sum exceeds a preliminary threshold. 32. Protection device configured to connect to a communication network and implement the anomaly detection method according to any one of claims 1 to 31. 33. Software product loadable into a memory of a network device and configured to implement, when executed, the anomaly detection method according to any one of claims 1 to 31.