SYSTEM AND METHOD FOR CYBERSECURITY
20220103582 · 2022-03-31
Inventors
Cpc classification
International classification
Abstract
A method for threat detection and automatic mitigated response to IP & DDOS born Cyber Security events and Threats. The Disclosed system can provide autonomous system numbers (ASNs) to prevent several network-born cyber threats. These ASN can be distributed to devices on a network along with IP addresses. Disclosed are an ASN record that can be incorporated into Global DNS Servers and systems and can store the IP Address and Private and Public ASN numbers. Also, the disclosed system and method can also provide anomaly detection techniques based on the ASN and Geolocation Proximity.
Claims
1. A method for preventing network attacks, the method comprising the steps of: generating, autonomous system numbers (ASNs) for devices on a network; providing a global registry for recording autonomous system numbers as a public autonomous system number (ASN) and private ASN; and providing an ASN record, the ASN records has an IP address, the public ASN, and the private ASN for a device.
2. The method according to claim 1, wherein the method further comprises the steps of: applying, anomaly detecting algorithm, to detect an anomaly in a network; and upon detecting the anomaly, applying machine learning-based algorithms to detect the source of the anomaly.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] The accompanying figures, which are incorporated herein, form part of the specification and illustrate embodiments of the present invention. Together with the description, the figures further explain the principles of the present invention and to enable a person skilled in the relevant arts to make and use the invention.
[0011]
DETAILED DESCRIPTION
[0012] Subject matter will now be described more fully hereinafter with reference to the accompanying drawings, which form a part hereof, and which show, by way of illustration, specific exemplary embodiments. Subject matter may, however, be embodied in a variety of different forms and, therefore, covered or claimed subject matter is intended to be construed as not being limited to any exemplary embodiments set forth herein; exemplary embodiments are provided merely to be illustrative. Likewise, a reasonably broad scope for claimed or covered subject matter is intended. Among other things, for example, the subject matter may be embodied as methods, devices, components, or systems. The following detailed description is, therefore, not intended to be taken in a limiting sense.
[0013] The word “exemplary” is used herein to mean “serving as an example, instance, or illustration.” Any embodiment described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments. Likewise, the term “embodiments of the present invention” does not require that all embodiments of the invention include the discussed feature, advantage, or mode of operation.
[0014] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of embodiments of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises”, “comprising,”, “includes” and/or “including”, when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
[0015] The following detailed description includes the best currently contemplated mode or modes of carrying out exemplary embodiments of the invention. The description is not to be taken in a limiting sense but is made merely for the purpose of illustrating the general principles of the invention, since the scope of the invention will be best defined by the allowed claims of any resulting patent.
[0016] In one aspect, disclosed is a cybersecurity system and a method for detecting and mitigating IP-spoofing-based network attacks including DDoS and DDoS Botnets. In addition to the IP addresses, a new namespace can be used, referred to herein as the autonomous system numbers (ASN). The ASNs are unique random numbers managed by a central main authority, such as Global Unified ASN Registry. The ASNs can be allocated to all computers in a network by Locally Sourced Registry that is in full sync with the Global Unified ASN Registry. The ASNs can be incorporated into existing network structures, such as DNS servers. A new record, referred to herein, as an ASN record can be generated which can be incorporated in central DNS servers. The ASN record can include an IP address, and a public and private ASN. This can be a new global DNS security standard that can be used to identify and mitigate the source of the attack.
[0017] In one embodiment, the ASN numbers can be allocated through an extension of the DHCP protocol which can allocate the IP addresses and also create an ASN record in the DNS having private and public ASN.
[0018] For detecting IP Spoofing-based attacks as well as DDOS and DDOS Botnets. The method can also provide for a threat detection algorithm. The threat detection algorithm can provide efficient network anomaly detection techniques with geolocation proximity. The geolocation proximity can be useful to detect the real source of the attack and capture Forensics data. The method can also provide for a machine learning-based model that upon detection of an anomaly, can do a reverse ASN lookup for traffic traversing a virtual appliance cluster.
[0019] In one embodiment, the machine learning-based model can be trained using live detection data generated from intrusion detection & prevention with automated responses and mitigation steps through active traffic redirection into native Honeypot containment. Honeypots are known in the art as decoy servers that act as a trap to identify attacks early and take the appropriate response.
[0020] Forensics can be collected via native Kubernetes with forensic security containers with an internal Blacklist that can sync with all internal devices.
[0021] The disclosed anomaly detection algorithm can quickly validate the sending ASN routing path and look for numbers that don't align in the ASN Record. It can use Geo-Location Proximity to detect the source of IP Spoofing, DDOS, and DDOS Botnet attacks. Every packet having the ASN sent through internet routing networks and goes through the cluster will automatically register in the Virtual Appliance registry when the traffic traverses the cluster. Once an anomaly is detected and the threat is identified, the connected source ASN can be validated then compared against the packet headers IP and as well as a new ASN Global DNS Record that contains both Private and Public ASNs. If the numbers that are registered do not match, then the connection is dropped immediately. All packets that have ASN that don't match the event get logged and then registered into the built-in Blacklist Registry of Detected Spoofed, and DDoS IPs. It will immediately drop a connection from the edge of the network if the IP Spoofer attempts to connect through another spoofed IP originating from the same ASN Number with a similar Address range and pattern of activity.
[0022] In one case, both attempts can be logged into a built-in Microsoft SQL 2019 Linux instance running within a container within the platform. The platform can have a 4 Node, Cross Connected Kubernetes Container Cluster, with Automated Response and Mitigation for Cyber Attacks. If a DDoS Attack, is attempted, the container cluster can start provisioning containers in a Honeypot Architecture that will have a very specific purpose for gathering forensic data. The initial attack is very briefly allowed once detected and will let it build to gather threat intel. Once the containers have the forensic data the system stores it in a Highly Encrypted Linux database Instance. The platform will keep a copy of some of the containers from the attack so that they can be uploaded to the Forensics Container Registry where they can be exported to provide to Governing authorities anywhere in the world. The source of the attacks can then be blacklisted including Public/Private ASN Numbers.
[0023] In one embodiment, the disclosed solution can be built on a container platform that will contain forensic containers that will log packets from the attack. If it is just a single source DDOS attack, one forensic container can be launched and capture all of the attacker's network locations. These containers can record and retain all the data on the attack and can be exportable to authorities so that they can arrest the associated cybercriminal. If it is a Botnet attack coming from dozens to 100′ of zombie machines, then a container can be provisioned for every source in the attack including Geo-location proximity and the Internet-facing network router that is the source of the attack. Their Public ASN can be identified allowing authorities to home in on the criminals.
[0024] In one embodiment, the ASN Record can be a unique DNS Record that can capture the server or endpoints IP Address local ASN, and the Public ASN on the internet-facing router and add to the ASN Record. Once adopted, every DNS Server on the planet can use the ASN Numbers for all networks born threat detection, prevention, and automated response to threats.
[0025] Referring to
[0026] While the foregoing written description of the invention enables one of ordinary skill to make and use what is considered presently to be the best mode thereof, those of ordinary skill will understand and appreciate the existence of variations, combinations, and equivalents of the specific embodiment, method, and examples herein. The invention should therefore not be limited by the above-described embodiment, method, and examples, but by all embodiments and methods within the scope and spirit of the invention as claimed.