PROTECTION SYSTEM OF INFORMATION NETWORKS AND RELEVANT SECURITY PROCEDURE

Abstract

Disclosed is a security system against an attack and/or cyber threat carried out over an information network having at least one or more hosts and/or one or more clients and possibly connected to an Internet network and/or other types of networks. The security system is able to recognize the attack and/or cyber threat and to implement a consequent countermeasure. The security system constitutes one of the clients and has a connection to the information network, an electrical supply thereof, at least one socket adapted to the electrical connection of one or more of the hosts and/or clients of the same information network and an electrical supply cutoff for the one or more hosts and/or clients connected thereto.

Claims

1. Security system against an attack and/or cyber threat carried out over an information network comprising at least one or more hosts and/or one or more clients or other devices and possibly connected to an Internet network and/or other types of networks, said security system being able to recognize said attack and/or cyber threat and to implement a consequent countermeasure, wherein said security system constitutes one of said one or more clients and comprises: means for the connection to said information network, means for the electrical supply thereof, at least one socket adapted to the electrical connection of one or more of said hosts and/or clients of the same information network (R), means for cutting-off the electrical supply for said one or more hosts and/or clients connected thereto, said security system being a “passive” client, i.e. able to receive data packets without making active connections to other hosts and/or clients, said packets being considered as representative of said attack and/or cyber threat.

2. The security system of claim 1, wherein it comprises at least one notification system of said detected attack and/or cyber threat, said notification system comprising light and/or sound notification and/or e-mail and or SMS and/or “file log” signaling devices or the like.

3. The security system of claim 2, wherein said at least one notification system may send said notifications and/or an alarm to other hosts and/or clients of said information network.

4. The security system of claim 1, wherein it comprises a programmable board comprising at least one processor, on said at least one processor there being installed at least one operating system and at least one software: adapted to the control of said received data packets, capable of acting on said means for cutting-off the electrical supply of said one or more of said hosts and/or clients connected to said security system, and settable for any said notifications.

5. The security system of claim 4, wherein on said processor of said programmable board one or more “false server processes” that act as “honeypots” may be provided, said “false server processes” consisting in programs and/or services that act as target for said attack and/or cyber threat.

6. The security system of claim 1, wherein said means for cutting-off the electric supply for said one or more hosts and/or clients connected thereto comprise a relay, said relay being connected to said programmable board and comprising a normally closed switch, the detection of said attack and/or threat resulting in the opening of said switch.

7. The security system of claim 1, wherein said electric supply means thereof may comprise: at least one port comprising a seat for a connector for the connection to the mains, and/or one or more batteries, possibly rechargeable.

8. The security system of claim 1, wherein said means for the connection to said information network comprise at least one port for a network cable and/or Wi Fi® or Bluetooth® modules.

9. The security system of claim 1, wherein it comprises a key for manually opening and/or resetting said switch of the relay.

10. The security system of claim 1, wherein it is of the type capable of communicating via network and/or special known communication protocols to other hosts and/or clients to start their security and shutdown procedures via software.

11. The security system of claim 1, wherein it is “plug & play” and “stand alone”, said system being easily connectable in said information network.

12. Security procedure against an attack and/or cyber threat coming from a software and/or an attacker and carried out over an information network comprising at least one or more hosts and/or one or more clients, said procedure being implementable through the security system of claim 1, wherein it comprises at least the following steps: receiving one or more data packets; checking whether said data packet represent a threat; energetically disconnecting at least one or more of said hosts and/or clients of said information network (R) in case of attack and/or detected cyber threat; said procedure allowing to identify an attack and/or cyber threat already during the scanning and/or enumeration of the active IP addresses in the information network operated by said software and/or attacker.

13. The security procedure of claim 12, wherein it further comprises the step of notification of the detected threat.

14. The security procedure of claim 12, wherein it communicates via network and/or special known communication protocols to other hosts and/or clients of said information network to start their security and shutdown procedures via software.

Description

[0042] Further characteristics of the present invention will be apparent from the following description of some preferred embodiments, which are illustrated in the patent claims and shown for illustrative, not limiting purposes in the appended drawings, wherein:

[0043] FIG. 1 is a diagrammatic view of an information network of known type;

[0044] FIG. 2 shows the security system for information networks according to the invention, in different views.

[0045] FIG. 3 is a diagrammatic view of the electrical and electronic connections of the security system for information networks of FIG. 2;

[0046] FIG. 4 shows the network of FIG. 1 with the implementation of the security system for information networks according to the invention.

[0047] The characteristics of the invention will be now described with reference to the Figures.

[0048] Firstly, it must be noted that the following description will refer to devices and protection/security systems that can be applied and used on information networks of any type and architecture; consequently, the example of FIG. 1, which has been partially described, is to be considered as a merely illustrative example, with no limiting purposes.

[0049] Otherwise said, the following description, which refers to an information network R that comprises at least one or more hosts H, relative clients C and switches SW that are possibly connected and cooperate with an external network (i.e. an Internet I or a “local” network), will also refer to any other network architecture of known type.

[0050] Moreover, the term “host” will indicate any type of servers or similar devices, whereas the term “client” will indicate generic electronic or information devices, such as, for illustrating, not limiting purposes, computers, notebooks, workstations, mobile devices (Smartphones, hand-held devices, tablets, e-readers, etc.) or videosurveillance devices, NASs, “smart objects” (i.e. IoT-compatible devices or objects), smart household appliance (i.e. for illustrating, not limiting purposes, washing machines and dishwashers, cooktops, extractor hoods and filtration hoods, boilers and water heaters, heat pumps, web-TVs or the like), domotics technologies, CNC machines for industrial use, automotive systems, automatic teller machines, and POS devices, cash registers, including new-generation RT models, or similar equipment.

[0051] With reference to FIG. 2, the security system for information networks against attacks and threats from software, such as malware, crackers and/or attackers, is indicated with reference numeral (1).

[0052] According to the invention, said security system 1 is directly integrated in an information network R (for instance, but not necessarily, of the type shown in FIG. 4) in order to monitor and protect one or more server H and/or client C devices of the information network, preferably the ones that are directly connected to the security system 1, as illustrated below.

[0053] Therefore, said security system 1 can be considered as a client of the information network R to be protected and is therefore characterized and identified with its own IP and MAC address.

[0054] Without any limiting purpose, as diagrammatically shown in FIG. 4, said security system 1 can be integrated in a LAN and/or DMZ network of known type and/or in any other network (i.e. of a shop, with clients, such as cash registers, also of RT type, POS and similar devices used for purchasing and payment operations) said networks, being possibly connected to an external Internet network I.

[0055] Preferably, one or more server H and/or client C devices can be connected to said security system 1, directly or by means of relative switches SW of known type (as shown in FIG. 4).

[0056] Advantageously, the system 1 is preferably a “stand alone” and “plug&play” device in order to be easily connected to the network, for example to said switches SW, and is able to:

[0057] recognize the first steps of a cyber attack that consists in the scan and in the successive enumeration of the IP addresses that are active in the network, operating in passive mode.

[0058] consequently implement an innovative countermeasure consisting in cutting-off the energy power (i.e. electrical power) of the servers H and/or clients C or any other devices, avoiding the diffusion of any virus, malware or cyber threat over the network and protecting the privacy and the security of said servers H and/or clients C or other devices.

[0059] Otherwise said, said security system 1 is technically suitable for recognizing a network scan by a malware or an attacker, said scan being simultaneously carried out on all devices H, C of the network.

[0060] Therefore, said security system 1 is suitably configured to:

[0061] passively “receive” one or more data packets addressed to the security system (1) or addressed in broadcast in the LAN, without making any active connection to other host and/or client servers,

[0062] “check” the data packets (which are intrinsically “anomalous” and representative of an attack because the system is passive and has no active connections to other hosts and/or clients characterized by an exchange of data packets), verifying whether they reflect a signature or pattern that is recognized as threat,

[0063] “energetically cut-off” and disconnect the servers H and/or clients C and/or other devices (i.e. networking devices) in case of detection of malicious packets.

[0064] According to a possible embodiment of the invention, the security system 1 can combine said energy cut-off with a suitable notification and alarm system of said detected threat, for example a light and/or sound notification, and/or an e-mail message, an SMS, a “local log file” or the like;

[0065] the notifications can be simultaneously sent also to other servers and/or clients of the network.

[0066] For the sake of clarity, a passive security system 1 is a client that does not make any active connection with any other device in the LAN during the ordinary conditions of operation and use, said system 1 being therefore involved in a complete data connection only when an attack or a cyber threat is received.

[0067] After a general presentation, this description continues illustrating the various components and the operation of the security system 1 of the invention in more detail.

[0068] As shown in FIG. 2, said security system 1 is preferably a box body with any shape, size and geometry, which comprises internal functional components, a plurality of ports and/or sockets that can be accessed externally and the relative connection circuitry; more precisely, said security system 1 may comprise at least:

[0069] means 2 for the connection to an information network R wherein it acts as client (see also FIG. 4) such as for instance a port 2 for a network cable 20 (i.e. Ethernet) and/or Wi-Fi® and/or Bluetooth® modules,

[0070] means 3 for the electrical supply comprising, according to the embodiment of FIG. 3, at least one port 3 for a connector 17, preferably of male type, for connection to the electrical mains (i.e. a wall socket),

[0071] at least one socket 4 (preferably of “female” type, indifferently “Schuko”, “Italian” or any other type available on the market) for the connection of one or more servers H and/or clients C of the same information network R.

[0072] As additionally shown in FIG. 3, the security system of the invention comprises at least one programmable SBC board 10 connected to a power supply 11 (preferably of 5 Volt-2 Ampere type) by means of micro-USB connectors 19 or the like.

[0073] Said board 10 preferably integrates an ARM processor (which guarantees low energy consumption for the requested quantity of calculation) and is normally connected to a router or to a network switch SW by means of said network cable 20 or Wi-Fi/Bluetooth modules.

[0074] Moreover, the programmable board 10 is connected to a relay 12 (i.e. a 220V 1-channel relay with 5V input in DC), with function and operating mode as described below.

[0075] More precisely, the programmable board 10 and the relay 12 are connected by means of a suitable cable 13 (defined as “relay cable”) comprising at least one normally closed ON/OFF switch 14.

[0076] The internal electrical circuitry of the security system 1 according to the present invention is completed by a pair of cables 15, 16, respectively for connecting the power supply 11 and the relay 12 to the connector 17, and an additional connection cable 18 of the relay 12 to the socket 4 for the one or more servers H and/or clients C or other devices of the network to be protected.

[0077] The electrical powering or cutting-off of the socket 4 and, consequently, of the various devices H, C connected to the socket 4,will depend on the close or open status of the switch 14 of the relay 12.

[0078] According to a possible executive variant of the invention, said means 3 for the electrical powering of the security system 1 of the invention may comprise batteries, possibly rechargeable batteries.

[0079] Such a solution appears advantageous for a temporary external use of the security system 1, for example for the protection of cash registers (also of RT type), POS devices or the like.

[0080] It is also possible to provide a “mixed” power supply, i.e. batteries for the programmable board 10 and electrical power supply for the socket 4, or vice versa.

[0081] Also in case of battery power, the energy cutting-off of the hosts H and/or clients C connected to the security system 1 will depend on the status of the relay or of similar switches with the same technical characteristics and the same operation mode.

[0082] For the aforementioned light and/or sound notifications generated by the security system 1 of the invention when a threat is detected, specific “notification devices” can be provided, such as LEDs, speakers or sirens.

[0083] In FIG. 2, the reference numeral 5 is used to indicate seats, slots or perforations for the housing and the correct operation of said notification devices.

[0084] For illustrative purposes, in case of anomalies in the network, the LEDs of the security system 1 can light up with a red light and/or can start flashing, whereas the siren can generate a specific sound, with different tone, volume and/or frequency according to the type and/or level of the detected threat; in view of the above, the user can immediately contact the technical service or take immediate action to neutralize the propagation of the cyber threat, if capable of doing it.

[0085] At software level, a suitable operating system, such as a linux Debian or one of its derivatives, is installed in the programmable board 10 of the security system 1.

[0086] At least one first control software of the data packets exchanged in the network is executed in said operating system, it being preferably based on the rules and modes of the firewalls or software security systems of known type.

[0087] More precisely, said first software is a “passive” program, i.e. a program that is not able to be interposed between a connection of servers H or clients C of the information network for a direct control; therefore, it operates as a sort of “trap”, awaiting the occurrence of a malicious event that is represented by a scan and/or enumeration process of the information network by a malware or an attacker.

[0088] Specifically, said first software can be an IDS (possibly with free license under GNU GPL) that monitors suspicious activities of network scanning or of connection requests from malware or an attacker, such as, for illustrating not limiting purposes, server H and/or client C enumerations, identification of the operating system or “forced login attempt”.

[0089] Based on the control and on the analysis of the data packets received from the network, if considered to be “malicious” (by means of algorithms and check modes of known type), said first software can activate a second software that manages said relay 12, specifically designed for opening the normally closed ON/OFF switch 14 (although, according to another variant, the opening can be controlled by the first software). Said management software sends a suitable signal to the relay 12. The relay 12 is excited and changes the status of the ON/OFF switch 14 from “normally closed” to “open”, thus energetically cutting-off the socket 4 of the security system 1 and the various server H and/or client C devices or the other devices connected to the socket 4.

[0090] Said software allows for detecting the scan of the information network R connected to the security system 1, interpreting such a scan as malicious, “switching-off” the various H, C devices connected to the system and disconnecting the power supply, thus avoiding the propagation and the advance of the attack towards said devices.

[0091] According to a possible embodiment of the invention, the security system 1 may also comprise one or more “false server processes” that are installed in the programmable board 10 and act as “honeypot”.

[0092] More specifically, said “false server processes” may consist in programs and/or services that can be executed in background and act as target for a malware or an attacker; otherwise said, the “false server processes” induce the malware or the attacker to violate the security system 1 of the invention rather than other hosts H and/or clients C of the information network that are simultaneously scanned.

[0093] For the sake of information, it must be additionally noted that the software installed in the security system 1 of the invention are also set to notify the detected malicious scanning via email, SMS or any text message and additionally activate the light and/or sound alarms, if any, as illustrated above.

[0094] Evidently, numerous variants of the aforementioned invention are possible for the experts of the field, without leaving the scope of novelty that are intrinsic in the inventive idea; likewise, in the practical implementation of the invention, the various aforementioned components can be replaced by technically equivalent elements.

[0095] For instance, in case of a detected threat, in addition to cutting-off and disconnecting the power supply of the various devices H, C, the security system 1 of the invention can:

[0096] communicate with other remote host and/or client devices over the network and/or via communication protocols of known type to start their security and automatic shutdown procedures via software,

[0097] inform the anomalies directly to the technical service.

[0098] Additional light sources integrated in the security system 1 of the invention can inform the presence or the absence of the Internet network signal, its status, possible malfunctioning or anomalies in the connections with the various network devices.

[0099] Finally, the security system 1 of the invention may also comprise a manual key (not shown in the figures) for the opening and/or the voluntary reset of said ON/OFF switch 14 of the relay 12 by the user.

[0100] Said key is provided and inserted in the relay cable 13 to manually disconnect or re-connect the power supply of the various host H and/or client C devices connected to the security system 1, and acts as an supplementary countermeasure in addition to the “automatic” countermeasure implemented by the software of the security system 1.

[0101] The security system 1 of the invention may also comprise an additional button (also known as “check button”) to manually check the status of the network connected to the security system 1, especially upon activation.

[0102] As a conclusion, it appears manifest that the purposes of the invention are achieved with the security system 1, with particular reference to the possibility of immediately detecting a cyber threat during the first attack steps, blocking its propagation to the various host and/or client devices in the network in an effective, quick and secure way, by cutting-off and disconnecting the power supply.

[0103] Moreover, said security system is inexpensive and easy to install, being of Plug&Play type, and does not require any additional configuration or technical skills by the user.

[0104] The security system 1 can be used in a number of different ways, can be implemented in any existing information network and can be possibly associated with the firewalls and IDSs/IPSs of known type.