1. Patent Search
  2. Details

A TELECOMMUNICATIONS DEFENCE SYSTEM

20170250999 · 2017-08-31

    Inventors

    Cpc classification

    International classification

    Abstract

    A telecommunications defence system comprises: at least one shield server; at least one target server arranged to be in communication with the shield server and with a client telecommunications system, via a telecommunications network. The target server is provided in a geographical location of the telecommunications network that is nearer the client telecommunications system than the shield server. The telecommunications defence system further comprises an attack detection application, a communication application and a shielding application. The attack detection application detects an attack aimed at the client telecommunications system via the telecommunications network and generates an identification signal indicative of the source of the attack. The communication application transmits the identification signal to the shield server. The shielding application causes the shield server to generate a shield signal in response to the transmitted identification signal, to provide at least one shield operative to shield the client telecommunications system from the attack identified.

    Claims

    1. A telecommunications defence system comprising: at least one shield server; at least one target server arranged to be in communication with the shield server and with a client telecommunications system, via a telecommunications network, the target server being provided in a geographical location of the telecommunications network that is nearer the client telecommunications system than the shield server; the telecommunications defence system further comprising an attack detection application, a communication application and a shielding application; wherein: the attack detection application contains instructions which, when executed on the target server, detects an attack aimed at the client telecommunications system via the telecommunications network and generates an identification signal indicative of the source of the attack; the communication application contains instructions which, when executed on the target server, transmits the identification signal to the shield server; and the shielding application contains instructions which, when executed on the shield server, cause the shield server to generate a shield signal in response to the transmitted identification signal, to provide at least one shield operative to shield the client telecommunications system from the attack identified.

    2. The system of claim 1 operative such that an attack can be detected at or near the geographical location of the client telecommunications system, but shielded at or near the source of the attack, or at least nearer the source of the attack than the client telecommunications system.

    3. The system of claim 1 or claim 2 wherein the identification signal is indicative of the geographical source of the attack.

    4. The system of any one of the preceding claims wherein the identification signal comprises the source IP address of the attack.

    5. The system of any one of the preceding claims wherein the target server is located in the same geographical location as the client telecommunications system.

    6. The system of claim 5 wherein the target server comprises part of the client telecommunications system.

    7. The system of any one of the preceding claims wherein the attack detection application comprises a decryption module operative on the target server to decrypt an encrypted attack.

    8. The system of any one of the preceding claims wherein a plurality of shield servers are provided, at least one of which is located in a different geographical location from the target server.

    9. The system of claim 8 wherein shield servers are located in a plurality of different geographical locations.

    10. The system of claim 8 or claim 9 wherein more than one shield server is located in each geographical location.

    11. The system of any one of claims 8 to 10 wherein the identification signal is sent to more than one of the plurality of shield servers.

    12. The system of claim 11 wherein the identification signal is sent to all of the shield servers in the system.

    13. The system of any one of the preceding claims wherein the, or another, shield application is adapted to be executed on the target server such that the target server generates or activates a shield.

    14. The system of any one of the preceding claims further comprising a distribution application containing instructions which, when executed on the target server, select whether the target server generates or activates a shield, or whether the shield server generates or activates a shield.

    15. The system of claim 14 wherein the distribution application is operative to determine the size of the attack, such that the shield server generates or activates the shield if the attack is above a predetermined size.

    16. The system of any one of the preceding claims further comprising a security database on which at least one client security signal is stored, the client security signal(s) being arranged to allow secure access to the client telecommunications network.

    17. The system of claim 16 wherein the security database is provided in, or is at least in communication with, the target server.

    18. The system of claim 16 wherein the security database is located in the same geographical location as the client telecommunications system.

    19. The system of any one of claims 16 to 18 operative such that the client security signal(s) is not transmitted over the broader telecommunications network.

    20. The system of claim 19 operative such that the client security signal)s) is not transmitted outside of the geographical location of the client.

    21. The system of any one of the preceding claims arranged to generate a pre-scan signal arranged to perform a pre-scan of the client telecommunications system so as to identify vulnerabilities of the client telecommunications system, the shielding application being arranged to generate a shield signal or signals in response to the vulnerabilities identified in the pre-scan.

    22. The system of any one of the preceding claims wherein the attack detection and/or communication applications are stored on the target server, or on more than one target server, or stored in cloud storage in communication with the target server.

    23. The system of any one of the preceding claims wherein the or each shield application is stored on the shield server, or on more than one shield server, or stored in cloud storage in communication with the shield server.

    24. The system of any one of the preceding claims wherein the or each shield application comprises, or is operative to generate or activate, a shield comprising a web application firewall (WAF).

    25. A target server or target server network of a telecommunications defence system, the at least one target server being arranged to be in communication with a shield server and with a client telecommunications system, via a telecommunications network, the target server being arranged to be provided in a geographical location of the telecommunications network that is nearer the client telecommunications system than the shield server;: the target server comprising an attack detection application containing instructions which, when executed on the target server, detects an attack aimed at the client telecommunications system via the telecommunications network and generates an identification signal indicative of the source of the attack; the target server further comprising a communication application containing instructions which, when executed on the target server, transmits the identification signal to the shield server.

    26. A shield server or shield server network of a telecommunications defence system for shielding a client telecommunications system against a third party attack, the shield server comprising a shielding application containing instructions which, when executed on the shield server, cause the shield server to generate a shield signal in response to an identification signal indicative of the identity of the attack, to provide at least one shield operative to shield the client telecommunications system from the attack identified.

    27. A method of defending a client telecommunications system using a telecommunications defence system, comprising steps of: f) providing at least one target server in communication with a shield server and with a client telecommunications system, via a telecommunications network; g) locating the target server in a geographical location of the telecommunications network that is nearer the client telecommunications system than the shield server; h) generating an attack identification signal indicative of the source of an attack aimed at the client telecommunications system via the telecommunications network; i) generating and transmitting the identification signal to the shield server; and j) generating a shield signal using the shield server in response to the transmitted identification signal, such that at least one shield is provided which is operative to shield the client telecommunications system from the attack identified.

    28. A telecommunications network comprising a telecommunications defence system comprising: at least one shield server; at least one target server arranged to be in communication with the shield server and with a client telecommunications system, via the telecommunications network, the target server being provided in a geographical location of the telecommunications network that is nearer the client telecommunications system than the shield server; the telecommunications defence system further comprising an attack detection application, a communication application and a shielding application; wherein: the attack detection application contains instructions which, when executed on the target server, detects an attack aimed at the client telecommunications system via the telecommunications network and generates an identification signal indicative of the source of the attack; the communication application contains instructions which, when executed on the target server, transmits the identification signal to the shield server; and the shielding application contains instructions which, when executed on the shield server, cause the shield server to generate a shield signal in response to the transmitted identification signal, to provide at least one shield operative to shield the client telecommunications system from the attack identified.

    29. A telecommunications defence system substantially as described herein and as shown in the accompanying drawings.

    30. A server or server network of a telecommunications defence system substantially as described herein and as shown in the accompanying drawings.

    31. A method of defending a client telecommunications system substantially as described herein and as shown in the accompanying drawings.

    32. A telecommunications network comprising a telecommunications defence system substantially as described herein and as shown in the accompanying drawings.

    Description

    DRAWING DESCRIPTION

    [0049] A number of embodiments of the invention will now be described by way of example with reference to the drawings in which:

    [0050] FIG. 1 is a schematic of a telecommunications defence system in accordance with the invention, in communication with a telecommunications network;

    [0051] FIG. 2 is a schematic of a target server of the telecommunications defence system of FIG. 1;

    [0052] FIG. 3 is another schematic of part of the telecommunications defence system of FIG. 1; and

    [0053] FIG. 4 is another schematic of the telecommunications defence system of FIGS. 1 to 3.

    DETAILED DESCRIPTION OF THE DRAWINGS

    [0054] Throughout the description like reference numerals will be used to refer to like features in different embodiments.

    [0055] Referring to the Figures, a telecommunications defence system 1 comprises at least one target server 3 adapted to be in communication with a client telecommunications system 5, and at least one shield server 8, via a telecommunications network 7. In this example, a plurality of shield servers 8 are provided, in a shield server network.

    [0056] In this example a single target server 3 is provided although it is envisaged that multiple target servers 3 may be provided if required. The target server 3 comprises, or is connected to, a power source 9 which powers an electronic data processor 11, a memory 13 and, optionally, a display 15. Suitable control software applications and/or hardware applications are provided on the target server 3 as is known. The, or additional, control application(s) may additionally be stored externally of the target server 3, for example, in cloud storage, the target server 3 being in communication with such remote storage. The or each shield server 8 comprises similar components.

    [0057] The client telecommunications system 5 may comprise a client website, or a more complex client telecommunications network which is connected to the telecommunications network 7.

    [0058] The target server 3 is arranged, via the telecommunications network 7, to be in communication with the shield servers 8 and with the client telecommunications system 5, the target server 3 being provided in a geographical location that is nearer the client telecommunications system 5 than the shield servers 8.

    [0059] The telecommunications system further comprises an attack detection application 17, a communication application 19 and a shielding application 21.

    [0060] Applications 17, 19 may comprise software and/or hardware applications provided on the target server 3, or may comprise applications stored remotely, such as in cloud storage but accessible by the target server 3.

    [0061] Application 21 may comprise a software and/or hardware application provided on the shield server 8, or may comprise an application stored remotely, such as in cloud storage but accessible by the shield server 8.

    [0062] The attack detection application 17 contains instructions which, when executed on the target server 3, detects an attack aimed at the client telecommunications system 5 via the telecommunications network 7 and generates an identification signal indicative of the source of the attack.

    [0063] The communication application 19 contains instructions which, when executed on the target server 3, transmits the identification signal to one or more of the shield servers 8.

    [0064] The shielding application 21 contains instructions which, when executed on one or more of the shield server 8, cause the shield server(s) to generate a shield signal in response to the transmitted identification signal, to provide at least one shield operative to shield the client telecommunications system 5 from the attack identified.

    [0065] The attack could comprise any vulnerability of the client website or network to external attack by a third party. Such a vulnerability may comprise one or more application vulnerabilities (such as SQL injection or Cross-site scripting) or infrastructure vulnerabilities (such as open ports or unpatched services). Such vulnerabilities may include any one or more of the following example vulnerabilities:

    [0066] OWASP top ten web application vulnerabilities;

    [0067] Injection;

    [0068] Broken Authentication and Session state management;

    [0069] Cross site scripting;

    [0070] Insecure direct object references;

    [0071] Security misconfiguration;

    [0072] Sensitive data exposure;

    [0073] Missing functional level access control;

    [0074] Cross site request forgery;

    [0075] Components with known vulnerabilities; and

    [0076] Unvalidated redirects and forwards.

    [0077] The invention therefore provides “cloud shielding” of the client website by providing a wide network of shield servers 8 globally. For example, there may be shield servers 8 in a number of different countries such as New Zealand, Australia and USA for example. One or more shield servers 8 may be provided in any desired geographical location, such as multiple countries for example.

    [0078] The cloud-shielding provided by the system 1 defends against a third party attack at or near the source of the attack and not just at the destination, that is, not just at or near the geographical location of the client telecommunications system. A disadvantage of defence at destination is that all attack traffic is allowed into, for example, New Zealand (or where-ever the target website resides) and the attacks are stopped at the last second with shield servers sitting in front of the website. Instead, system 1 facilitates defending the client website at or near the source of the attack, that is, at the soonest possible opportunity.

    [0079] To achieve this, the system 1 may include a “cloud signalling” protocol for the shield servers 8. Using such a protocol, shields can be created for a New Zealand client website and then those shields are distributed and published globally, via communication of the New Zealand shields from the target server 3 to one or more of the shield servers 8 located elsewhere.

    [0080] A benefit of the system 1, is that the system 1 can store client security signals, such as SSL certificates and private keys, only within the same country as the vulnerable client website. This is useful for security-sensitive client organisations which may not want global propagation of private cryptographic keys for example. Thus a security database 23 may be provided on which such security signals are stored, the database 23 being part of, or in communication with, the client telecommunications system 5. The database 23 may be stored on memory of the target server 3 for example.

    [0081] Attacks which are encrypted may initially be decrypted and detected by the target server 3, within the target country. The cloud signalling protocol can then share information on the attack with the other global nodes on a signalling bus, which distributes details of the attach, including location identification information such as the attacking IP address(es).

    [0082] Advantageously, the point at which attack decryption, detection and cloud signalling occurs may be on the client's own premises.

    Example System Architecture

    [0083] Shield Cloud: In one example, with reference to FIG. 4, the system 1 described above, ie the shield cloud, is online all the time, for all normal users. Attacks are detected at the last-hop cloud node, that is, the target server 3, which is closest to the client application 5. This last-hop node hosts SSL private keys and certificates, stored in database 23, and is capable of detecting attacks which arrive via encrypted channels.

    [0084] Signals are sent to the shield servers 8 identifying relevant attack metadata to allow other nodes, that is, shield servers 3 located elsewhere within the cloud, to mitigate these attacks closer to the source.

    [0085] Shield On-Premise: In one example, the target server 3 of system 1 is installed as a shield detection node on the client's own site 5, consisting of, for example, an F5 Big IP device or virtual machine, or cluster of the same. Reference is made to FIG. 3 where the remote shield servers 3 are omitted.

    [0086] This system hosts SSL private keys for any services which use SSL, and is capable of detecting attacks which arrive via encrypted channels.

    [0087] Traffic is migrated onto the shield cloud, ie to one or more remote shield servers 8, when attacks are too large to handle within the customer datacenter. Target server 3 therefore comprises a distribution application 25 operative to control whether the attack is shielded by the target server 3 and whether the attack is additionally or alternatively shielded by one or more of the shield servers 8. In such cases, signals are sent to shield cloud control systems which identify relevant attack metadata to trigger the migration using DNS changes, and then allow other nodes within the cloud to mitigate these attacks closer to the source.

    [0088] The system 1 may therefore comprise a global shield network which can identify and block attacks (including encrypted attacks) by IP address closer to the source of the attack, without requiring SSL certificates or other sensitive client security information to be hosted outside of the target country.

    Details of Cloud Signalling Protocol:

    [0089] Example integers of a cloud signally protocol used to control system 1 are set out below:

    TABLE-US-00001 Protocol Detail Item: Description: Transport TCP/IP, using TLS/SSL and authentication for encryption and security Signalling message XML messages structure Mitigation Mode Activate Mitigation Mode 0 Activation Signalling Activate Mitigation Mode 1 Messages Activate Mitigation Mode 2 Activate Mitigation Mode x - custom The messages themselves are simple, however the activation of mitigation modes may involve complex behaviour such as DNS changes, which cause traffic to be moved onto the shield cloud and mitigation to commence. The exact behaviour of the shield cloud when each mode is activated is defined on a per-application basis, and stored centrally within a shield database. For example, mitigation strategies differ depending on whether the service type is Shield On-Premise or Shield Cloud, and which node within Shield Cloud is closest to the application server itself. Messages may contain: Device ID Application service ID Mode activation instruction Attacking IP Notification These messages contain details of one or Messages more IP addresses which are attacking the client application and which should be blocked by the shield cloud as close as possible to the source of the attack. Messages may contain: Device ID Application service ID Attacking IP address list

    [0090] Unless the context clearly requires otherwise, throughout the description, the words “comprise”, “comprising”, and the like, are to be construed in an inclusive sense as opposed to an exclusive or exhaustive sense, that is to say, in the sense of “including, but not limited to”.

    [0091] Although this invention has been described by way of example and with reference to possible embodiments thereof, it is to be understood that modifications or improvements may be made thereto without departing from the scope of the invention. The invention may also be said broadly to consist in the parts, elements and features referred to or indicated in the specification of the application, individually or collectively, in any or all combinations of two or more of said parts, elements or features. Furthermore, where reference has been made to specific components or integers of the invention having known equivalents, then such equivalents are herein incorporated as if individually set forth.

    [0092] Any discussion of the prior art throughout the specification should in no way be considered as an admission that such prior art is widely known or forms part of common general knowledge in the field.