WO2021045639A1 - Method and system for sonifying cybersecurity incidents - Google Patents

Abstract

The invention relates to a method and system for sonifying cybersecurity incidents. The method involves: collecting cybersecurity incident data, including the IP addresses of network exchange nodes, network ports, the time of connection between nodes and the reaction of network security means to said connections; aggregating the cybersecurity incidents by different features in accordance with a chosen sonification model, and calculating the statistical characteristics of the aggregated events for a given time period; generating a scheme for the sonification of incidents on the basis of the statistical characteristics of the connections between network nodes, said scheme being generated in accordance with one of the following proposed sonification models: sound source – network zone; number of connections in a network zone – volume of sound source; deviation from a mean value in a given time period – rate of repetition of the source sound in the given time period; ratio of blocked and permitted connections for each zone – tone/pitch of source sound; and then generating audible alerts to incoming cybersecurity notifications in accordance with the given sonification scheme.

Description

METHOD AND SYSTEM FOR SONIFICATION OF CYBER SECURITY EVENTS

FIELD OF TECHNOLOGY

[0001] The present technical solution, in General, relates to the field of computer technology, and in particular to a method and system for sonification of cybersecurity events.

LEVEL OF TECHNOLOGY

[0002] With the development of the technical level in the field of data processing, requiring a prompt response to a transient change in their states, a new method has emerged that allows you to analyze various processes based on the use of auditory information display, in which data obtained during measurements or control of various processes, can be converted into sound vibrations, which makes it possible to register them through sound channels of perception.

[0003] This approach is called sonification and is currently used in many scientific fields as an alternative to the visual presentation of data, allowing you to generate sound alerts associated with a change in the state of controlled processes. At the same time, the main advantages are the ability to process and respond to a large number of parallel information flows in real time, as well as prompt detection of changes in critical parameters, which is especially critical in processing cybersecurity events.

[0004] The most important criterion for sonification is the construction of a sound scheme for a specific task of identifying and notifying specified types of events. As a rule, the sound scheme relies on a number of parameters to form the sonification of events, for example, the parameters of sounds, the amount of data, their coherence, etc.

[0005] Information tends to grow. Each new virtual entity of an individual initializes new connections with other entities, receives and sends data, initializes various processes, that is, carries out informational activity leading to an increase in data. The increase in the volume of data storages and the decrease in the cost of their storage leads to the fact that the general trend of interaction with information systems can be expressed as "save everything" instead of "Save this snippet." The thesis about information saturation is indisputable.

(saturation) of the visual channel of perception. Whether it is a customer in a supermarket or an operator of a situation center, a person is forced to pay attention to more and more data that comes into view, displayed visually, and / or to separate their presentation in time, thereby increasing the processing time of this data. This leads to a number of well-known problems - from increased fatigue and reduced labor efficiency to the emergence of critical errors in the decision-making process. Against this background, the problems associated with combining different data are increasing.

[0006] Currently, sonification methods are widely used in various fields, including medicine, aviation and complex systems management, media art, business analytics, seismography, assistive technologies for the visually impaired, astronomy. [one]

[0007] Various approaches to sonification of observed data are known in the art. For example, the analysis of network activity using SonSTAR software allows you to generate sound alerts based on the analysis of network activity streams by filtering the data of transmitted packets. [2]

[0008] From the patent US 7511213 B2 (Soft Sound Holdings LLC, 03/31/2009) the principle of sonification of these changes in the securities market is known by constructing a sound mapping scheme for generating alerts based on the parameters of dynamic market changes, for example, currency fluctuations, stock prices etc. [0009] Existing approaches are not suitable for analyzing cybersecurity events in terms of detecting network anomalies and forming a sound environment based on statistical data of connections between nodes, aggregated according to certain criteria.

DISCLOSURE OF THE INVENTION

[0010] The present invention is aimed at solving a technical problem, which consists in creating a new principle of sonification of cybersecurity events, which makes it possible to more efficiently and timely identify network anomalies in a corporate network.

[OOP] The technical result is to increase the efficiency of responding to emerging cybersecurity events in network zones through the use of an event sonification scheme generated by firewalls based on statistical characteristics of connections between the nodes of the corporate network in a given time interval.

[0012] The claimed result is achieved due to a computer-implemented method for sonification of cybersecurity events generated by network protection means, performed using a processor and containing the stages at which:

- collecting data of cybersecurity events, which include IP-addresses of network exchange nodes, network ports, time of connection between nodes and reaction of firewalls to said connections;

- the received cybersecurity events are aggregated according to various criteria in accordance with the selected sonification model and the statistical characteristics of the aggregated events in a given time interval are calculated;

- generate a scheme for sonification of events based on the mentioned statistical characteristics of connections between network nodes, and the above scheme is formed in accordance with one of the proposed models of sonification. sound source - network zone, the number of connections in the network zone - volume of the sound source, deviation from the average value in the time interval - the frequency of repetition of the sound of the mentioned source in the time interval, the ratio of blocked and allowed connections for each zone - timbre / pitch of the source sound;

- generate sound notifications for incoming cybersecurity notifications in accordance with the aforementioned sonification scheme.

[0013] In one of the particular embodiments of the method, the aggregated network connections are visualized in real time.

[0014] In another particular embodiment of the method, rendering is performed synchronously with the generation of audio notifications.

[0015] In another particular embodiment of the method, audio notification and / or visualization of network areas is transmitted to the user's mobile device.

[0016] In another particular embodiment of the method, the source is selected from the group: musical instrument, sounds of the surrounding nature, sounds of animals, sounds of nature, synthesized sounds, or combinations thereof. [0017] The claimed result is also achieved by a system for sonification of cybersecurity events generated by firewalls, which contains at least one processor and at least one storage medium containing machine-readable instructions that, when executed by the processor, perform the above-described method.

[0018] Other, particular aspects of the implementation of the claimed technical solution will be disclosed further in these application materials.

BRIEF DESCRIPTION OF DRAWINGS

[0019] Features and advantages of the present invention will become apparent from the following detailed description of the invention and the accompanying drawings, in which:

[0020] FIG. 1 illustrates the general scheme of the claimed solution.

[0021] FIG. 2 illustrates a flow diagram of processing cybersecurity events to sonify them.

[0022] FIG. 3 illustrates the scheme of sonification of cybersecurity events when dividing into zones of network activity.

[0023] FIG. 4 illustrates an example of dividing audio sources into zones of a corporate network.

[0024] FIG. 5 to FIG. 6 illustrate variants of sonification models.

[0025] FIG. 7 illustrates a view of a computing system.

CARRYING OUT THE INVENTION

[0026] As shown in FIG. 1, the general scheme of the claimed solution includes a data transmission network (110), the connection between the sections of which is controlled by a network security tool (120) of the corporate infrastructure. Firewalls (120) can be selected from various devices, for example, an NGFW PaloAlto firewall or any other suitable type of device that provides a record of audit log events (130) related to the initiation of connections and network interaction of hosts in the corporate network with each other and with external hosts.

[0027] The audit trail of the firewall (130) contains cybersecurity events, including data about network connections, in particular, the time of the event, the IP address of the sender, the IP address of the recipient, the action of the security (whether the connection was blocked or allowed by the firewall) ... Under the net For data transmission, the information network "Internet" can be used, formed by various well-known protocols and principles of communication, for example, WAN, PAN, WLAN, LAN, etc.

[0028] Cybersecurity event data from the audit log (130) is sent to a processing device (200) based on a personal computer, which provides data processing for performing the information sonification process.

[0029] The device (200) contains a preprocessing module (210) that enriches the data received from the network protection means (120), a sonification module (220) that generates sound notifications according to the established sound scheme, a database of sounds (230) containing sound sources for generating sound notifications, a visualization module (240) that visualizes data from cybersecurity events.

[0030] FIG. 2 shows the steps of a method for sonifying cybersecurity events. At the first stage (301), the events of the audit log (130) of the firewall (120) are collected. The data obtained using the preprocessing module (210) is aggregated taking into account the time stamp in accordance with the selected sonification scheme and enriched with additional information, for example, about the IP address belonging to a certain network zone of the corporate network, the presence of the IP address and / or network port in the black list IP addresses and / or network ports. The preprocessing module (210) can be executed in the Python language and, in a private version, represent a module based on machine learning algorithms, for example, a neural network that superimposes a sonification scheme on the generated set of statistical characteristics from network security tools (120) to generate sound alerts for network anomalies. activity.

[0031] Depending on the data received from the network security means (120) at step (301), the statistical characteristics of the connections (302) are calculated, on the basis of which a decision is then made to apply the selected scheme of sonification and data visualization at step (303) for the subsequent formation of sound environments in real time (304).

FIG. 3 shows an example of the scheme of the claimed solution, in which the information to be sonified is distributed over the zones of the corporate network (400). As shown in FIG. 4 for each network zone (4001-4004) and a specified time interval (which can be set as needed - 1,3,5,10 sec, etc.) is assigned its own unique sound source (I1-I4), which allows identifying each of the zones (4001-4004).

In the specified sonification scheme, the statistical characteristics of the connections are determined using the preprocessing module (210), which represent the total number of network connections in each of the zones (4001-4004) of the corporate network (400) in one time interval (in accordance with the selected aggregation interval ( 1,3,5,10 sec)), the ratio of blocked and allowed connections, the deviation of the current value of the number of connections from the average number of connections in a given network zone, the ratio of the number of connections from this zone to the total number of connections, the number of zones with which connections are established from this zone.

[0032] These statistical characteristics are then transmitted to the sonification module (220) and the visualization module (240) to perform the step, including sonification and data visualization (303). At the stage of sonification (303), the statistical characteristics obtained at stage (302) for each network zone (PO) are processed using the generated sound scheme. The sound scheme is built as follows: the sound source is the network zone, the number of connections in the network zone is the volume of the sound source, the deviation from the average value in the time interval is the frequency of repetition of the sound of the mentioned source in the time interval, the ratio of blocked and allowed connections for each zone is timbre / the pitch of the source.

[0033] The sound source is selected from various kinds of sound representations stored in the database (230) and assigned to each of the zones (4001-4004). Such representations can be, for example, a musical instrument, sounds of the surrounding nature, sounds of animals, sounds of nature, synthesized sounds, or their combinations. The list of sound representations is not limited to the given examples and can be expanded.

[0034] The sound source is superimposed on the generated sonification scheme to generate sound notifications (304) for the detected anomalies in the data transmission network (PO). Anomalies are understood as abrupt changes in the observed statistical characteristics (a sharp change in the number of connections in a certain zone, a change in the ratio of blocked and allowed connections, a strong deviation from the average value of the number of connections in a given zone), which can signal a security incident or the functioning of IT systems. Sonification of anomalies allows more explicit and / or earlier notification of the occurrence of such events and increase the efficiency and speed of response of operators monitoring network activity.

[0035] For example, certain changes in network activity in the data transmission network (110) can signal an incipient DDoS attack, massive virus infection, improper functioning of security tools, and so on. Taking into account the fact that in a large network infrastructure even one firewall (130) can generate tens of thousands of events per second, then using sonification, the operator is able to quickly identify one anomalous subset of them, which requires a more detailed study for threats.

[0036] The visualization module (240) allows to additionally form images on the arising anomalies in the network connections of the data transmission network (110). Module (240) can be implemented, for example, on the Unity engine, which provides various types of generation of visually perceptible information on emerging cybersecurity events. Visualization of the statistical characteristics of data network connections (110) can be generated simultaneously with sound alerts.

[0037] The audio alerts generated by the sonification circuitry in step (304) are output by standard means of an operator workstation, such as headphones. Sound alerts can also be sent to operators on personal mobile devices or other types of wearable devices such as smart watches. The device (200) providing data sonification can be performed in the form of a server and contain information with the assignment of the observed anomalies to operator profiles, which allows generating sound alerts to the required employees. The transfer of such information is carried out by means of wireless communication, for example, such as Bluetooth, Wi-Fi, etc.

[0038] In another particular embodiment, the cybersecurity event sonification scheme can be generated based on statistical characteristics determined based on the analysis of the transport protocol data of network connections. FIG. 5 shows a block diagram of the execution of the process of sonification of cybersecurity events using the sonification model based on the analysis of the network protocol (500). At the first stage (501), data preprocessing is performed, during which events are aggregated over the involved transport protocol (TCP / UDP / ICMP), and the presence of IP addresses and network ports from security events in the black lists of IP addresses and ports is also checked. Blacklists contain malicious and dangerous IP addresses (as a rule, hosts on the Internet involved in malicious activity such as phishing, spam, malware distribution, etc.) and ports, the use of which may indicate an infection of the host of the corporate network of malware.

[0039] In step (502), statistical characteristics are calculated for each transport protocol:

- the number of connections per unit of time;

- deviation from the average value of the number of connections for a specific transport protocol.

[0040] For IP addresses and ports from the black lists, the presence of IP addresses and ports from the black lists in each time interval is calculated.

[0041] Generating a sound environment using the sonification scheme at step (503), while if it is determined that the data received from the security means (120) contains IP addresses and / or ports of network connections from the black list, then for such IP addresses or ports are assigned a separate audio source to identify them in the general data stream (504).

[0042] The sonification model in step (503) is performed as follows.

For transport protocols:

- Transport protocol - separate instrument / sound source;

- The relative number of connections using a specific transport protocol - the volume of the sound source;

- Deviation from the average value of the number of connections for a specific transport protocol - timbre / pitch of the sound source.

For blacklisted IP addresses and network ports:

- Presence of IP address / network port in the blacklist - tool / sound source (separate tool for IP addresses and for network ports);

- The number of IP addresses / ports from the blacklist in one time interval - the volume levels of the instrument / sound source (where zero volume means no entries in the blacklist in this time interval).

[0043] The following is an example of generating a sound ambience using the above sonification model (500):

- TCP protocol - trees rustle from the wind (left);

- UDP protocol - wave noise (right);

- ICMP protocol - wind whistle (left); - IP-address from the black list - overflows / chimes in the style of a wind catcher (left);

- blacklisted network port - ship whistle (right).

[0044] Also, another example of a sonification model as shown in FIG. 6, an aggregation analysis based on the action of a security agent (600) can be performed. At the preprocessing stage (601), events are aggregated according to the type of actions of the firewall (allow / deny / alert / drop / reset), and it also checks for the presence of IP addresses and network ports from security events in the blacklists of IP addresses and ports. Blacklists contain malicious and dangerous IP addresses (as a rule, hosts on the Internet involved in malicious activity such as phishing, spam, malware distribution, etc.) and ports, the use of which may indicate an infection of a host on a corporate malware network.

[0045] Statistical characteristics are calculated for each transport protocol (602):

- the number of attempts to connect with the given action of the security device per unit of time;

- deviation from the average value of the number of connections for a specific action of the protective equipment

For IP addresses and ports from the black lists, the presence of IP addresses and ports from the black lists in each specified time interval is calculated.

[0046] Generating a sound environment using the sonification scheme at step (603), while if it is determined that the data received from the security means (120) contains IP addresses and / or ports of network connections from the black list, then for such IP addresses or ports are assigned a separate audio source to identify them in the general data stream (604).

[0047] The sonification model in step (603) is performed as follows:

- Type of action of the network tool - a separate instrument / sound source;

- The relative number of attempts to connect with this action of the firewall - the volume of the sound source;

- Deviation from the average value of the number of connections for a specific action of the protective equipment - timbre / pitch of the sound source.

For blacklisted IP addresses and network ports:

- Presence of IP address / network port in the blacklist - tool / sound source (separate tool for IP addresses and for network ports); - The number of IP addresses / ports from the blacklist in one time interval - the volume levels of the instrument / sound source (where zero volume means no entries in the blacklist in this time interval).

[0048] The following is an example of generating a sound ambience using the above sonification model (600):

- allow action - trees rustle from the wind (right);

- action deny (reject) - the sound of a burning fireworks (left);

- alert action - crickets, rarely bird (left)

- drop action (throwing off) - sparrows and other birds (right)

- reset action (reset) - owl (right)

- action not defined - (left) wind whistle;

- ip-address from the black list - overflows, wind catcher (center);

- blacklisted network port - bells (center).

[0049] The presented diagrams and examples of the distribution of sound sources are presented only for the purpose of displaying one example of creating a sound environment.

[0050] FIG. 7 shows an example of a general view of a computing system (700) based on a computing device that provides an implementation of the claimed method. The computing device can be a computing device suitable for performing sonification and data processing functionality, for example, a personal computer, laptop, smartphone, tablet, server, etc. The device (200) can be a particular embodiment of the computing system (700). [0051] In the General case, the system (700) contains one or more processors (701) united by a common bus (710), memory means such as RAM (702) and ROM (703), input / output interfaces (704) , input / output devices (705), and a device for networking (706).

[0052] The processor (701) (or multiple processors, multi-core processor) can be selected from a range of devices currently widely used, for example, Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™ and etc. Under the processor, it is also necessary to take into account a graphics processor, for example, an NVIDIA or ATI GPU, which is also suitable for complete or partial execution of the data processing and sonification method. In this case, the memory means can be the available amount of memory of the graphics card or graphics processor. [0053] RAM (702) is a random access memory and is intended for storing machine-readable instructions executed by the processor (701) for performing the necessary operations for logical processing of data. RAM (702) typically contains executable instructions of an operating system and associated software components (applications, software modules, etc.).

[0054] ROM (703) is one or more persistent storage devices such as a hard disk drive (HDD), solid state data storage device (SSD), flash memory (EEPROM, NAND, etc.), optical storage media ( CD-R / RW, DVD-R / RW, BlueRay Disc, MD), etc.

[0055] Various types of I / O interfaces (704) are used to organize the operation of the components of the computing system (700) and to organize the operation of external connected devices. The choice of the appropriate interfaces depends on the specific version of the computing device, which can be, but are not limited to: PCI, AGP, PS / 2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, Type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

[0056] To ensure the interaction of the user with the computing system (300), various means (705) I / O information are used, for example, a keyboard, display (monitor), touch display, touch-pad, joystick, mouse manipulator, light pen, stylus, touch panel, trackball, speakers, microphone, augmented reality, optical sensors, tablet, light indicators, projector, camera, biometric identification (retina scanner, fingerprint scanner, voice recognition module), etc.

[0057] The networking tool (706) allows the system (300) to transmit data via an internal or external computer network, such as an Intranet, Internet, LAN, and the like. One or more means (706) may be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communication module, NFC module, Bluetooth and / or BLE module, Wi-Fi module, and dr.

[0058] Additionally, satellite navigation aids can be used as part of the system (400), for example, GPS, GLONASS, BeiDou, Galileo.

[0059] Modifications and improvements to the above-described embodiments of the present technical solution will be apparent to those skilled in the art. The foregoing description is provided by way of example only and does not imply any restrictions. Thus, the scope of the present technical solution is limited only by the scope of the attached claims.

Sources of information: 1. Rogozinsky G.G. Models and methods of sonification of cyber-physical systems /

Dissertation, St. Petersburg, St. Petersburg State University of Telecommunications. prof. M.A. Bonch-Bruevich, 2019

2. Debashi M, Vickers R (2018) Sonification of network traffic flow for monitoring and situational awareness. PLoS ONE 13 (4): e0195948. https://doi.org/10.1371/ioumal.pone.0195948

Claims

FORMULA 1. Computer-implemented method of sonification of cybersecurity events generated by firewalls, performed using a processor and containing stages at which: - carry out the collection of data of events of cybersecurity, which include IP-addresses of network exchange nodes, the time of connection between nodes and the reaction of firewalls to these connections; - the obtained IP-addresses are aggregated according to their belonging to the zones of the data transmission network and the statistical characteristics of the connections between the nodes of each aggregated zone of the network are calculated in a given time interval; - generate a scheme for the sonification of events on the basis of the mentioned statistical characteristics of connections between network nodes, and the mentioned scheme is formed as: sound source - network zone, number of connections in the network zone - sound source volume, deviation from the mean value in the time interval - frequency of sound repetition of the mentioned source in the time interval, the ratio of blocked and allowed connections for each zone - timbre / pitch of the source sound; - generate sound notifications for incoming cybersecurity notifications in accordance with the above-mentioned sonification scheme. 2. The method according to claim 1, characterized in that the network zones and connections between them are visualized in real time. 3. The method according to claim 2, characterized in that the visualization is performed synchronously with the generation of sound notifications. 4. A method according to any one of claims. 1 - 3, characterized in that sound notification and / or visualization of network zones is transmitted to the user's mobile device. 5. The method according to claim 1, characterized in that the source is selected from the group: musical instrument, sounds of the surrounding nature, sounds of animals, sounds of nature, synthesized sounds, or combinations thereof. 6. System for sonification of cybersecurity events generated by firewalls, containing at least one processor and at least one data storage means containing machine-readable instructions that, when executed by a processor, perform a method according to any one of claims. 1-5.