METHOD AND APPARATUS FOR PREVENTING MALICIOUS NETWORK TRAFFIC
20240430298 · 2024-12-26
Assignee
Inventors
- André BECKER (Karlsruhe, DE)
- Steffen WEISE (Leipzig, DE)
- Stefan REUSCH (Salzweg, DE)
- Leopold SCHABEL (Freiburg, DE)
Cpc classification
International classification
Abstract
A method (100) for preventing malicious network traffic is described, the method including: providing (110), by a key generation appliance, a client key to a client device; receiving (120), by a control appliance, a data packet intended for an application server from the client device; determining (130), by the control appliance, whether the data packet includes the client key; forwarding (140) the data packet, by the control appliance, to the application server in response to a determination that the data packet comprises the client key; and/or blocking (150) the data packet, by the control appliance, in response to a determination that the data packet does not include the client key. Further, an apparatus (360) and a system (300) are provided that are configured to perform the method (100).
Claims
1. A method for preventing malicious network traffic, the method comprising: providing (110), by a key generation appliance, a client key to a client device; receiving (120), by a control appliance, a data packet intended for an application server from the client device; determining (130), by the control appliance, whether the data packet comprises the client key; at least one of: a) forwarding (140) the data packet, by the control appliance, to the application server in response to a determination that the data packet comprises the client key; or b) blocking (150) the data packet, by the control appliance, in response to a determination that the data packet does not comprise the client key.
2. The method of claim 1, wherein determining whether the data packet comprises the client key, comprises: determining whether the client key comprised by the data packet is valid.
3. The method of claim 1, wherein determining whether the data packet comprises the client key, comprises: determining, based on a time stamp of the client key, whether the client key comprised by the data packet has not expired.
4. The method of claim 1, wherein the client key provided to the client device is a first client key, and wherein determining whether the data packet comprises the client key, comprises: determining whether the data packet comprises the first client key or a second client key derivable from the first client key.
5. The method of claim 4, wherein determining whether the data packet comprises the client key, comprises at least one of: a) determining, whether a previous data packet previously received from the client device comprises the first client key; and determining whether the data packet comprises the second client key; or b) determining, whether a previous data packet previously received from the client device comprises the second client key; and determining whether the data packet comprises a third client key different from the second client key, wherein the third client key is derivable from the first client key.
6. The method of claim 1, wherein determining whether the data packet comprises the client key, comprises: determining, whether the client key comprised by the data packet is associated with at least one of the client device or a user of the client device.
7. The method of claim 1, wherein determining whether the data packet comprises the client key, comprises: determining, whether the data packet comprises the client key at a predetermined position within the data packet.
8. The method of claim 1, further comprising: receiving (230), by the key generation appliance, an authentication key, wherein the authentication key is indicative of an authentication of at least one of the client device or a user of the client device; and providing (110), by the key generation appliance, the client key to the client device in response to at least one of the receipt or a validation of the received authentication key.
9. The method of claim 1, further comprising: receiving (240), by the key generation appliance, a platform key associated with the client device; and providing (110), by the key generation appliance, the client key to the client device in response to at least one of the receipt or a validation of the received platform key.
10. The method of claim 1, further comprising: receiving (210), by an authentication appliance, user credentials of a user of the client device; and transmitting (220), by the authentication appliance, an authentication key to at least one of the key generation appliance or to the user device in response to at least one of the receipt of the user credentials or a validation of the received user credentials.
11. The method of claim 1, further comprising: receiving (120) by the control appliance, a plurality of data packets intended for the application server from the client device; determining (130), by the control appliance, whether multiple of the plurality of data packets comprise the client key; and at least one of: a) forwarding (140), by the control appliance, all of the data packets of the multiple data packets that comprise the client key to the application server; or b) blocking (150), by the control appliance, all of the data packets of the multiple data packets that do not comprise the client key.
12. The method of claim 11, further comprising: blocking (150), by the control appliance, all of the data packets of the multiple data packets that do not comprise the client key; and forwarding (140) the remaining data packets of the plurality of data packets to the application server.
13. An apparatus (360) for preventing malicious network traffic, the apparatus comprising: a control appliance (320); and a key generation appliance (340); wherein the apparatus is configured to perform the method of claim 1.
14. A system (300) for preventing malicious network traffic, the system comprising: the apparatus (360) of claim 13; an authentication appliance (350), wherein the authentication appliance is configured to: receive user credentials of a user of the client device (330); and transmit an authentication key to the key generation appliance (340) in response to at least one of the receipt of the user credentials or a validation of the received user credentials.
15. The system of claim 14, further comprising at least one of: the application server (310); or the client device (330).
16. A computer program fixed in a tangible medium comprising instructions which, when the program is executed by a computer, cause the computer to carry out the method of claim 1.
17. (canceled)
Description
BRIEF DESCRIPTION OF THE DRAWINGS
[0055] The present invention may be better understood from reading the following description of non-limiting embodiments, with reference to the attached drawings, wherein:
[0056]
[0057]
[0058]
DETAILED DESCRIPTION
[0059]
[0060] The method 100 starts with step 110 in which a client key is provided by a key generation appliance 340 to a client device 330. The key generation appliance 340 may be comprised by a network traffic control device 360. In other words, the client key may be provided to the client device 330 by the network traffic control device 360.
[0061] The client key may be a key generated by the key generation appliance 340. The client key may further be particularly designed for a control process performed by a control appliance 320 as described in more detail below.
[0062] The network system 300 and the method 100 may be a system and a method used for a gaming application, for example for an online gaming application. That is, the client device 330 may be a game client. The application server 310 may be a game server. The key generation appliance 340 may be a token API. The client key may herein also be referred to as a first client key or a client token, in particular a client long token.
[0063] The client key may be generated for, and/or associated with, a specific client device 330. The client key may be provided to the client device 330 upon request. For example, the key generation appliance 340 may provide client device 330 with the client key, i.e. transmit the client key to the client device 330, in response to a request received by the client device 330.
[0064] In step 120, a control appliance 320 receives a data packet from the client device 330. The data packet is intended for the application server 310. In other words, the client device 330 transmits the data packet to the application server 310 via control appliance 320.
[0065] The control appliance 320 may be comprised by the network traffic control device 360. In other words, the data packet intended for the application server 310 may be received by the network traffic control device 360.
[0066] In step 130, the control appliance 320 determines whether the data packet received from the client device 330 comprises the client key that was previously provided to the client device 330 by the key generation appliance 340 in step 110.
[0067] If the data packet received from the client device 330 comprises the client key, as determined in step 130, the control appliance 320 forwards the data packet to the application server 310. If the data packet received from the client device 330 does not comprise the client key, as determined in method step 130, the control appliance 320 blocks the data packet in step 150, i.e. does not forward the data packet to the application server 310.
[0068] Thereby, all data packets that do not comprise the client key and that are transmitted from the client device 330 to the application server 310 are prevented from reaching the application server 310 by the control appliance 320 controlling the network traffic between client 330 and application server 310.
[0069] In that manner, the network traffic between the client device 330 and the application server 310 is controlled on a packet-by-packet basis. In other words, the control appliance 320 may determine, whether a data packet belongs to malicious network traffic or is part of a network attack, such as a DDOS attack, based on the content of the data packet itself.
[0070] That is to say that the control appliance 320 may even detect a first malicious data packet of an attack performed against the application server 310. Hence, the control appliance 320 or any other network component of the network system 300 does not need to detect patterns within the network traffic in order to identify malicious network packets. As a process based on pattern detection inherently blocks too many or too few data packets, the method described herein is able to block (i) all malicious data packets and (ii) only malicious data packets in a deterministic manner.
[0071] Referring now in more detail to method step 130 in which the control appliance 320 determines whether the data packet received from the client device 330 comprises the client key that has been previously provided to the client device 330 by the key generation appliance 340.
[0072] The control appliance 320 may determine that the data packet comprises the client key only if the client key (or part of the client key, or another client key derivable from the client key, as described below) comprised by the data packet is valid. A valid client key may be the latest or newest client key of a plurality of client keys previously provided to the client device 330 by the key generation appliance 340.
[0073] A valid client key may be, for example, a client key that has not yet expired. An expired client key may be a client key that has been replaced by a newer or subsequent client key.
[0074] Additionally, or alternatively, a client key (or part of the client key, or another client key derivable from the client key, as described below) may have a limited time of validity. In other words, a client key may be determined to be an expired client key if a predetermined time interval has expired or elapsed since the client key has been generated by the key generation appliance 340 and/or provided to the client device 330. Put in another way, the control appliance 320 may determine an age of the client key, for example based on a timestamp of the client key, and may determine that the client key is an expired client key if the age of the client key exceeds a predetermined threshold age. Additionally, or alternatively, the control appliance 320 may determine that the client key is an expired client key if the point in time or time interval given by a timestamp of the client key has passed. In other words, the key generation appliance 340, in step 110, may define when the client key will expire.
[0075] Thus, a new client may be provided to the client device by the key generation appliance 340, in particular upon request by the client device 330, if a previous client key has become invalid and/or has expired or prior to the expiration or invalidation of the client key.
[0076] The control appliance 320 may further determine, that the data packet comprises the client key if the data packet comprises at least a part of the client key, in particular (only) a part of the client key or another client key derivable from the client key. In other words, the data packet sent from the client device 330 to the application server 310 via the control appliance 320 may comprise a second client key, or a client short (or tiny) key, or a client short token. The second client key may represent a part of the first (complete) client key. The second client key may be shorter and/or smaller in size compared to the first client key. Put in yet another way: The method may determine that the client is comprised by the data packet even if the data packet (only) comprises the second client key.
[0077] In that manner, the data packets sent from the client device 330 via the control appliance 322 the application server 310 may be smaller in size and still comprise the or a valid client key. Moreover, the determination performed by the control appliance 320 in method step 130, whether the data packet comprises the client key, may be performed in a more efficient way, in particular faster. Furthermore, the control appliance 320 may store only the second, i.e. shorter, client key in a memory associated with or used by the control appliance 320, thereby further enhancing the efficiency of the method 100, the network traffic control device 360 and the network system 300.
[0078] The control appliance 320 may further determine in step 130 that the data packet comprises the client key by determining that the data packet comprises at least the second client key, in particular only the second client key, in combination with the determination that a previous data packet previously received from the client device comprises the (complete, i.e. first) client key.
[0079] In other words, a first data packet sent from the client device 330 to the application server 310 may be forwarded by the control appliance 320, i.e. may pass the control appliance 320, only if said first data packet comprises the first client key or client long key. A subsequently received second data packet sent from the client device 330 to the application server 310 may be forwarded by the control appliance 320 only if the second data packet comprises the first client key or the second client key, i.e. the client short key.
[0080] In that manner, it is ensured that the client device is or was in possession of the first client key. Hence, the efficiency of the network system 300 or the method 100 may be enhanced by using the client short key whilst ensuring security and/or reliability of the system and method.
[0081] The control appliance 320 may only forward the data packet received from the client device 330 to the application server 310 if the second client key comprised by the second data packet is associated with, i.e. belongs to, is based on, is derivable from, or is a part of, the first client key comprised by a first data packet previously received. Upon provision of a new or subsequent client key by the key generation appliance 340 to the client device 330, the control appliance 320 may only forward a data packet comprising a respective new second client key that may represent a part of the new first client key, if a data packet comprising the new first client key has been previously received. In other words, in order to have all data packets forwarded to the application server 310, the provision of a new client key by the key generation appliance 340 requires the incorporation of the new client key in any subsequent data packet sent by the client device 330.
[0082] The control appliance 330 may determine in step 130 that the data packet comprises the client key if the client key comprised by the data packet is associated with the client device and/or a user of the client device. The control appliance 320 may store, or be otherwise in possession of, data pairs indicating that a specific client key belongs, i.e. is associated with, a specific client device and/or a specific user of the specific client device. The control appliance 320 may perform said determination, for example, based on source information comprised by the data packet, in particular comprised in the header of the data packet.
[0083] The control appliance 330 may determine in step 130 that the data packet comprises the client key if the data packet comprises the client key at a predetermined position within the data packet. For example the control appliance 330 may determine that the data packet comprise the client key only if the client key is positioned at the and of the header of the data packet and/or at the beginning of the payload of the data packet, or at a predetermined position within the header and/or within the payload of the data packet.
[0084] Similarly, the control appliance 330 may determine, in the above-mentioned exemplary method steps comprised by the method step 130, that the data packet does not comprise the client key if the above described requirements are not fulfilled and may thus block the respective data packets, as described with reference to step 150.
[0085] Prior to providing the client key by the key generation appliance 340 to the client device 330, the method 100 may perform some or all of the method steps 210 to 240 of method 200, a flowchart of which is shown in
[0086] In a first method step 210 an authentication appliance 350 receives user credentials, i.e. user identification data, such as a user name, and/or user security data, such as a user password, from a user of the client device 330. The user credential credentials may be transmitted from the client device 330 to the authentication appliance 350.
[0087] In response to the receipt and/or a validation of the received user credentials, the authentication appliance 350 transmits an authentication key to the user device in step 220. In other words, the client device receives the authentication key after having transmitted user credentials to the authentication appliance 350, i.e. after having logged in at the authentication appliance 350 or an authentication service at the authentication appliance 350.
[0088] The user of the client device may have a personal account at the authentication appliance 350 that is used to authorise the user for usage of specific services, such as attending a game located at a game server, e.g. the application server 310. The client device 330 may use the authentication key to prove to a server, e.g. the application server 310, that the client device 330 is operated by a specific user, for example a player, that has been authenticated by the authentication appliance 350. However, the authentication key that may be used as a proof of authentication in different server systems and/or for different purposes, may not be suitable or less suitable for controlling network traffic in order to prevent malicious data packets from reaching the application server 310. For example, the authentication key may be too long or too big in size to be incorporated in the data packets to be transmitted from client device 330 via control appliance 320 to application server 310.
[0089] The client device 330 sends the authentication key to the key generation appliance 340 which receives the authentication key in step 230. In exchange to the received authentication key received from the client device 330, the key generation appliance 340 may provide the client device 330 with the client key, in particular with the client key associated with the client device 330, as discussed with reference to method step 110.
[0090] In that manner the client key may be used by the control appliance 320 in order to determine whether or not to forward the data packet to the application server 310. A client key may be generated that is specifically designed for its use by the control appliance 320. Furthermore, the communication of the client key between the control appliance 320 and the key generation appliance 340 may be facilitated by using a client key generated by the key generation appliance 340 rather than using the authentication key. In particular, the control appliance 320 and the key generation appliance 340 may be based or comprised by the network traffic control device 360 as discussed above. As a further advantage, the client key may be generated and/or renewed independently of the authentication key, which may also be used for other purposes, thereby avoiding additional network traffic and/or additional coordination between the control appliance 330, the key generation appliance 340 and/or the authentication appliance 350. On the other hand, any data packet comprising the client key may be tied to an authentication key, i.e. to a user and/or a user device authenticated by an additional, independent authentication appliance.
[0091] Additionally, or alternatively, the authentication appliance 350 may directly communicate with the key generation appliance 340. In particular, the authentication appliance 315 may directly transmit the authentication key associated with the client device 330 to the key generation appliance 340.
[0092] In addition to, or in lieu of, the authentication key, the client device 330 may transmit a platform key associated with the client device to the key generation appliance 340, which is received by the key generation appliance 340 in step 240. The key generation appliance 340 may provide the client device 330 with the client key only upon receipt of the platform key and/or the authentication key. The platform key may be static, i.e. may not change upon a change of a user of the client device. In that manner, both the user of the client device and the client device may be authenticated and/or validated by the key generation appliance 340 prior to a provision of the client key to the client device 330 by the key generation appliance 340, as discussed with reference to method step 110.
[0093] Alternatively, or additionally, the client device 330 may communicate the platform key, or platform token, to the authentication appliance 350, wherein the authentication appliance 350 subsequently transmits the platform key and/or the authentication key to the key generation appliance 340.
[0094]
[0095] More particularly, the network system 300 comprises the application server 310 communicatively coupled to control appliance 320 by a first network link 315. The network system 300 further comprises the client device 330 communicatively coupled to control appliance 320 and key generation appliance 340 by a second link 325 and a third network link 335, respectively. The network system 300 further comprises the key generation appliance 340 communicatively coupled to control appliance by a fourth network link 345. The network system 300 further comprises authentication appliance 350 communicatively coupled to the key generation appliance 340 by a fifth network link 355 and communicatively coupled to client device 330 by a sixth network link 365.
LIST OF REFERENCE SIGNS
[0096] 100 First method [0097] 110-150 Method steps of the first method [0098] 200 Second method [0099] 210-240 Method steps of the second method [0100] 300 Network system [0101] 310 Application server [0102] 315 First network link [0103] 320 Control appliance [0104] 325 Second network link [0105] 330 Client device [0106] 335 Third network link [0107] 340 Ken generation appliance [0108] 345 Fourth network link [0109] 350 Authentication appliance [0110] 355 Fifth network link [0111] 360 Network traffic control device [0112] 365 Sixth network link