Secure administration of a local communication network comprising at least one communicating object

Abstract

A method of managing a local area communication network comprising at least one access equipment for accessing the network is disclosed. At least one communicating object is connected to the network. In one aspect, the method comprises upon detecting connection of a new communicating object to the network and/or upon detecting installation of new firmware on the at least one communicating object connected to the network, a learning phase involving observing interactions of the communicating object with at least one other equipment of the local area network and/or at least one equipment of a wide area communication network accessible via the access equipment. In addition, at least one security rule associated with the communicating object on the basis of the observed interactions is disclosed.

Claims

1. A method of managing a local area communication network comprising at least one access equipment for accessing the network, and at least one communicating object able to be connected to the network, the method comprising: upon detecting connection of a new communicating object to the network and/or upon detecting installation of new firmware on the at least one communicating object connected to the network, a learning phase comprising observing interactions of the communicating object with at least one other equipment of the local area network and/or at least one equipment of a wide area communication network accessible via the access equipment; creating at least one security rule associated with the communicating object on the basis of the observed interactions; and modifying the created security rule if a user of the communicating object is present within the local area communication network.

2. The method of claim 1, wherein the at least one security rule associated with the communicating object comprises a list of at least one equipment of the local area communication network and/or of the wide area communication network that the communicating object is authorized to access.

3. The method of claim 1, wherein the at least one security rule associated with the communicating object comprises a maximum volume of data that the communicating object is authorized to exchange.

4. The method of claim 1, wherein the at least one security rule associated with the communicating object comprises a maximum number of access requests that the communicating object is authorized to transmit.

5. The method of claim 1, wherein the learning phase has a duration able to be parameterized by a manager of the local area communication network.

6. The method of claim 1, further comprising transmitting data relating to the interactions observed for the communicating object to at least one equipment of the wide area communication network.

7. The method of claim 1, wherein the creation of the at least one security rule also takes into account data relating to interactions observed for a communicating object of the same type as the communicating object, in at least one other local area communication network.

8. The method of claim 1, further comprising in the event of detecting an interaction of the communicating object with at least one other equipment of the local area network and/or at least one equipment of a wide area communication network accessible via the access equipment that contravenes the created security rule, blocking the interaction.

9. The method of claim 8, further comprising storing the blocked interaction in a log of suspicious interactions and/or alerting a user of the communicating object.

10. The method of claim 1, wherein detecting connection of a new communicating object to the network is done by detecting the presence of a new MAC address on the network.

11. A non-transitory computer readable product storing program code instructions that when executed by a processor implements the method of claim 1.

12. An access equipment for accessing a local area communication network comprising at least one communicating object able to be connected to said network, the access equipment comprising a hardware processor configured to: detect connection of a new communicating object to the network and/or install new firmware on the at least one communicating object connected to the network; observe interactions of the communicating object with at least one other equipment of the local area network and/or at least one equipment of a wide area communication network accessible via the access equipment; create at least one security rule associated with the communicating object on the basis of the observed interactions; and modify the created security rule if a user of the communicating object is present within the local area communication network.

13. The access equipment of claim 12, wherein the access equipment is configured to implement a method for managing a local area communication network as claimed in claim 1.

14. The access equipment of claim 12 integrated into a home gateway.

15. The access equipment of claim 12, wherein the at least one security rule associated with the communicating object comprises a list of at least one equipment of the local area communication network and/or of the wide area communication network that the communicating object is authorized to access.

16. The access equipment of claim 12, wherein the at least one security rule associated with the communicating object comprises a maximum volume of data that the communicating object is authorized to exchange.

17. The access equipment of claim 12, wherein the at least one security rule associated with the communicating object comprises a maximum number of access requests that the communicating object is authorized to transmit.

18. The access equipment of claim 12, wherein the hardware processor is further configured to transmit data relating to the interactions observed for the communicating object to at least one equipment of the wide area communication network.

Description

4. LIST OF THE FIGURES

(1) Other aims, features and advantages of the invention will become more clearly apparent upon reading the following description, given by way of simple illustrative non-limiting example with reference to the figures, in which:

(2) FIG. 1 shows a schematic view of a local area communication network and of the various communicating objects that are connected thereto, according to one embodiment of the invention;

(3) FIG. 2 shows the various steps of the management method according to one embodiment of the invention in the form of a flowchart;

(4) FIG. 3 provides an overview of an access equipment or of a home gateway implementing the method of FIG. 2.

5. DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

(5) The general principle of the invention is based on establishing security rules specific to each communicating object of a local area communication network, on the basis of its communication needs as observed in a learning phase. In this learning phase, no restrictive security measure is applied to the communicating object, which is considered to have, at the outset, behavior that may be qualified as healthy, or normal, that is to say non-deviant. This learning phase is based for example on a “machine learning” mechanism, and makes it possible to deduce a certain number of security rules to be associated with the communicating object. It may implement inductive logic programming (ILP), fuzzy logic, etc.

(6) In the remainder of this document, a more detailed description is given of the implementation of one embodiment of the invention in the context of a home network, in the home of an individual user. The invention of course also applies to any other type of local area communication network (LAN, for “Local Area Network”), to which a plurality of communication equipments are connected.

(7) In such a home network, shown schematically in FIG. 1, a home gateway HGW referenced 10 makes it possible to connect a local area communication network and a wide area network such as the Internet (not shown). Such a home gateway HGW 10 integrates a DHCP server: it routes data packets on the network, and may also perform the role of a firewall, a proxy, a DNS (for “Domain Name Server”) relay, an IGD (for “Internet Gateway Device”) service, provider, etc.

(8) It also integrates a database, used in the learning phase, from which the security rules specific to each communicating object are able to be formulated.

(9) In the example of FIG. 1, a large number of equipments are present on the local area network, namely: a smartphone 11; a laptop computer 12; a PC computer 13; a tablet 14; a weather station 15; a webcam 16; a thermostat 17.

(10) This list is of course not exhaustive, and many other communicating objects may be present on the user's local area network.

(11) These communicating objects may be connected to the network in a wired manner (Ethernet cable, USB (for “Universal Serial Bus”) port, etc.) or wirelessly (Wi-Fi®, Bluetooth®, ZigBee, Z-Wave®, etc.). They comprise all types of physical objects that are able to communicate digitally on the local area network in order to exchange data. They also comprise software applications associated with certain non-IP (“Internet Protocol”) connected objects, operating on wireless technologies such as BLE (for “Bluetooth® Low Energy”), Z-wave®, Thread®, etc.

(12) Specifically, using such communicating objects more often than not requires installing a management application on an access gateway to the local area communication network. Such an application is based on a virtual machine, or a container, to which the access parameter configuration server (DHCP server) provides an IP address. Such communicating objects that are not naturally compatible with the IP protocol require the implementation of an IoT to IP gateway and/or of the “6LowPan” protocol.

(13) Thus, hereinafter, the term communicating object denotes both physical objects connected to the network and “virtualized” software applications associated with some of these objects.

(14) Such communicating objects may be denoted by the acronym IoT, for “Internet of Things”.

(15) From among the communicating objects in FIG. 1, it is possible to imagine that the smartphone 11 and the tablet 14 have been provided to the user by an Internet Service Provider (ISP), which has also provided the user with the network termination equipment formed by the home gateway HGW 10. Therefore, the access provider knows these equipments 11, 14, and is possibly able to provide the administrator of the local area communication network with predefined security rules for these communicating objects, which could be supplemented and/or refined in the learning phase that follows their first connection to the network, or the updating of their “firmware”. By contrast, other communicating objects such as the webcam 16 or the weather station 15 may originate from other sources and other origins: the access provider may nevertheless have data resulting from the interactions observed for these communicating objects in other local area networks, which said provider would have collected, and which may also be used to establish security rules for these objects in the network of FIG. 1.

(16) In any case, it is important to be able to establish specific security rules applicable to each of these various communicating objects referenced 11 to 17, in order in particular to adapt the rights allocated to these various objects by the DHCP server embedded in the home gateway HGW 10, or to adapt the additional mechanisms for limiting network access for these objects, such as the firewall, and to do so in order to improve the security of the local area network against possible malicious attacks.

(17) To this end, one embodiment of the invention is based on the flowchart of FIG. 2.

(18) An IoT communicating object 20 (for example the webcam 16 in FIG. 1), present on the home network, has just been installed in the ecosystem of the local area network by its manager. It initially does not have an IP address, and therefore sends, in broadcast mode, a DHCP DISCOVER datagram that is addressed to the DHCP servers present on the local area network. This datagram contains in particular the physical address (MAC for Media Access Control) of the IoT 20.

(19) In the example of the network in FIG. 1, a single DHCP server referenced 22 is present on the local area network, for example integrated into the home gateway HGW 10. It thus detects the connection of this new IoT communicating object 21 within the local area communication network (since it sees a new MAC address that it does not know), and then triggers a learning phase APP. 201, during which the interactions of the IoT communicating object 21 with its network ecosystem will be observed, without any specific security constraints being applied.

(20) The presence of a new IoT communicating object 21 within the local area communication network may also be detected by a dedicated service that monitors ARP (for “Address Resolution Protocol”) traffic and detects a new MAC address that is not contained in the ARP tables of the router.

(21) These interactions of the IoT 20 with its environment in “normal” (that is to say healthy or non-malicious) operating mode are symbolized in FIG. 2 by the arrows referenced INTER. 203 and INTER. 204. For the sake of simplicity, a single equipment SERV. 24 with which the IoT 20 interacts has been shown: however, this equipment SERV. 24 may symbolize one or more equipments of the local area communication network (for example the weather station 15, the tablet 14 or the smartphone 11) and one or more servers or remote equipments of the wide area communication network, for example one or more Internet services.

(22) All of these interactions of the IoT 20 with its network environment are stored (REC. 202) by the home gateway HGW 10 within a database BDD 21, integrated into the gateway. The data stored in this way comprise the number of transmissions and receptions by the IoT 20, the size and the frequency of the associated packets, the level 3 and 4 protocols of the OSI (for “Open Systems Interconnection”) model that are used, the communication ports that are used, the addresses of the equipments that are contacted, the servers that are accessed, etc.

(23) The collection duration of this information may be parameterized, by the manager/administrator of the home network for example, depending on the type of communicating object under consideration, on the learning mechanism (PLI, fuzzy logic, etc.) that is used, on a security requirement level, etc. This parameterization may take the form of a time duration of the learning phase APP. 201, expressed in hours or in days, or on a number of requests, or on a volume of data exchanged by the communicating object with the other equipments in its close or remote surroundings.

(24) At the end of deep learning performed on the basis of all of these data collected for IoT 20, it is possible to obtain a behavior profile, or a digital signature, specific to an IoT communicating object or to software or firmware that it embeds.

(25) In this learning phase APP. 201, it is also possible for example to compare this communicating object and/or firmware signature, in the cloud, with other similar signatures that are obtained in other home networks for a communicating object of the same type (for example, same webcam reference from the same manufacturer). This comparison may be performed by a dedicated server of the network of the operator, after sending of this signature, representative of all of the observation data collected for the IoT 20, by the home gateway HGW 10.

(26) From this signature, it is possible to deduce a set of security rules for the IoT 20, which are created and stored in the database BDD 21 (step RG. SEC. 205). This list of security rules is specific to the IoT 20, and applicable only to this communicating object. It may be refined, depending on a result of the comparison of the various signatures collected for the IoT 20 by the operator or the access provider.

(27) This list of security rules makes it possible to exercise various network access control operations on the IoT communicating object 20 by:

(28) limiting routing to other equipments of the local network in FIG. 1;

(29) limiting access to the Internet, with a DNS (for “Domain Name System”) relay limited to a whitelist of domain names;

(30) limiting access to the Internet, with filtering of the TCP/UDP (for “Transmission Control Protocol”/“User Datagram Protocol”) ports able to be used;

(31) preventing access to configuration services, for example UPnP-IGD.

(32) Such a security rule may for example take the form of restricting access for the IoT 20 to another equipment of the local area network, for example the laptop computer 12, on a given TCP port, with a known spec fic protocol type, and packets limited in terms of number and in terms of size.

(33) Taking up the example of the webcam 16 for the IoT communicating object 20, it is possible for example to observe, during the learning phase APP. 201, that “normal” behavior of the webcam 16 comprises: obtaining an IP address from the DHCP server ROUT. 22; requesting the time, through an NTP (for “Network Time Protocol”) request on a timestamp server 24 of the wide area communication network; sending video streams to an IP (for “Internet Protocol”) address specified by the manager/user of the home network, when said manager/user is absent from his home, and when the webcam 16 is used for home surveillance.

(34) The security rules RG. SEC. 205 created at the end of the learning phase APP. 201 may then comprise creating a whitelist of authorized domain names/addresses, contacted by the webcam 16 during normal operation thereof (specifically, that of the timestamp server 24, and the IP address specified by the user), and configuring a maximum volume and frequency for sending video packets, corresponding to what was observed during the learning phase for sending video surveillance streams. All other addresses or domain names are “blacklisted”, that is to say registered on a blacklist of prohibited addresses or access operations.

(35) It is understood that these security rules are specific and applicable only to the IoT 20, in this case the webcam 16: specifically, the communication needs of the smartphone 11 or of the weather station 15 are obviously very different from those of the webcam 16, both in terms of volume of data exchanged and of servers and addresses to be accessed.

(36) At the end of this learning phase APP. 201, the IoT communicating object 20 enters an operating phase in security mode SEC. 210, governed by security rules RG. SEC. 205 stored in the database BDD 21.

(37) In this operating phase SEC. 210, the IoT communicating object 20 interacts with the server SERV. 24 of the wide area communication network, in accordance with the security rules recorded in the database BDD 21: these interactions, illustrated by double-headed arrow INTER. 211 in FIG. 2, correspond to what are called “normal” interactions, that is to say ones authorized by the home gateway HGW 10.

(38) On the other hand, the IoT communicating object 20 may also attempt to access a server or an equipment that is not normally used (that is to say during “normal” operation), for example the server SERV. HACK. 23 in FIG. 2. This access attempt, corresponding to potentially deviant behavior of the IoT communicating object 20, is symbolized by the double-headed arrow DEV. 212. The address of this server SERV. HACK. 23 is therefore not contained in the whitelist stored in the security rules associated with the IoT 20 in the database BDD 21.

(39) In this case, this unusual interaction is immediately blocked by the home gateway HGW 10, as illustrated by the arrow BLOK. 213. The IoT communicating object 20 may then be isolated, in order to prevent use thereof in the context of malicious activities liable to jeopardize the security of the home network. This blocking BLOK. 213 may be accompanied by an action ACT. 214 linked to the detected security problem, which may for example take the form of transmitting an alert to the user, or of storing the deviant behavior in a log of suspicious activities (MEM./AL. 215).

(40) Taking up the abovementioned example of the webcam 16, such deviant behavior DEV. 212 may consist in sending the video surveillance stream from the user's home to an address other than that specified by said user, for example an address abroad. The home gateway HGW 10 may then send an alert message to the user (ACT. 214) and block the video stream transmitted by webcam 16 (BLOK. 213).

(41) The home gateway HGW 10 may also detect that the webcam 16 is sending DNS queries en masse to a server SERV. HACK. 23, and suspect that it is participating in a Botnet (concatenation of “robot” and “network”) attack. In this case, it may disconnect the stream transmitted by the webcam 16 (BLOK. 213), but also isolate the webcam 16 in quarantine (ACT. 214), for example until possible updating of its “firmware” in order to correct the security flaw affecting this communicating object.

(42) Finally, this deviant behavior DEV. 212 may also be internal to the local area communication network. The webcam 16 may for example attack another communicating object of the home network of FIG. 1, for example by inadvertently encrypting the hard disks of the personal computer 13. Once again, it is then possible to block the webcam 16 from accessing the local equipment under attack, and to quarantine this deviant communicating object, until the security flaw affecting it is corrected, or action is taken by the administrator of the home network (for example replacing the webcam 16 with another equipment deemed to be more secure and providing the same function).

(43) Moreover, in one embodiment of the invention, it is also possible to unlock the security upon detecting the presence of an authorized user (for example the administrator of the home network, or a user whose identifier is duly registered by the home gateway HGW 10) in the home network.

(44) Such presence detection may be based on detecting the subscriber's smartphone on the local area communication network. It may also be based for example on detecting movement at home, by way of Z-Wave sensors (a radio protocol designed for home automation), for example.

(45) Thus, when the home gateway HGW 10 detects that the user is present close to a communicating object of the network in FIG. 1, or more generally at home, corresponding to the environment of the home network, it may decide to ease the security rules associated with IoT communicating objects 20, in order to facilitate access for the user to the services of the home network. It is specifically assumed that, when the user is present, he is himself able to monitor the behavior of the communicating objects in order to detect possible deviance, or intentionally cause an unusual interaction for an IoT communicating object 20 with its network environment, without this unusual interaction otherwise constituting a true malicious action or a security flaw.

(46) This relaxation of the security rules may consist in raising an authorized ceiling for the volume of data exchanged by the IoT 20, in tolerating access to a server whose address is not contained in the whitelist of authorized access operations, etc.

(47) On the other hand, when it is detected that an authorized user is present in the local area communication network, it is also possible to bolster certain security rules, such as for example in order to prevent remote interactions, such as the transmission of video streams on the wide area communication network by local cameras of the home network. Specifically, when the user is at home, it is a priori not necessary to transmit the video surveillance stream from the home to a remote address.

(48) With reference to FIG. 3, the hardware structure of an access equipment according to one embodiment of the invention is now shown, in which this access equipment, integrating a learning module and a creation module for creating security rules associated with communicating objects, is integrated into a home gateway HGW 10.

(49) The term “module” may correspond equally to a software component or to a hardware component or to a set of software and hardware components, a software component itself corresponding to one or more computer programs or subroutines or, more generally, to any element of a program able to implement a function or a set of functions.

(50) More generally, such a home gateway HGW 10 comprises a random access memory 33 (for example a RAM memory), a processing unit 32 equipped for example with a processor, and controlled by a computer program, representative of the detection module for detecting a new or updated communicating object, of the learning module and of the security rule creation module, stored in a read only memory 31 (for example a ROM memory or a hard disk). On initialization, the code instructions of the computer program are for example loaded into the random access memory 33, before being executed by the processor of the processing unit 32. The random access memory 33 contains in particular the data collected when observing the interactions of the communicating objects with their network environment as described above with reference to FIG. 2, as well as, for each communicating object, all of the security rules that are generated by the creation module and that are associated with the communicating object at the end of a learning phase. The processor of the processing unit 32 controls the recording of the data relating to the interactions of the communicating objects with their network environment in the random access memory 33, the compilation of these data by the learning module, and the resultant creation of security rules by the creation module, in accordance with the flowchart of FIG. 2. In the secure operating mode, the processor of the processing unit 32 also controls the detection of unusual interactions, the blocking thereof, and the triggering of actions linked to the detected security problem, in accordance with the flowchart of FIG. 2.

(51) FIG. 3 illustrates only one particular way, from among several possible ones, of forming the home gateway HGW, such that it performs the steps of the method described above with reference to FIG. 2. Specifically, these steps may be performed indiscriminately on a reprogrammable computing machine (a PC computer, a DSP processor or a microcontroller) executing a program comprising a sequence of instructions, or on a dedicated computing machine (for example a set of logic gates such as an FPGA or an ASIC, or any other hardware module).

(52) If the home gateway HGW 10 is formed with a reprogrammable computing machine, the corresponding program (that is to say the sequence of instructions) may be stored in a removable storage medium (such as for example a floppy disk, a CD-ROM or a DVD-ROM) or a non-removable storage medium) this storage medium being able to be read partly or fully by a computer or a processor.

(53) The various embodiments have been described above with reference to a Livebox® home gateway, but may more generally be implemented in any gateway, router, DHCP server, and more generally in any network equipment located in the flow between the communicating object and the wide area communication network, etc.

Secure administration of a local communication network comprising at least one communicating object

Assignee

Inventors

Cpc classification

Classification Explorer

H04L63/0254

ELECTRICITY

Classification Explorer

H04W12/088

ELECTRICITY

Classification Explorer

H04L12/2834

ELECTRICITY

Classification Explorer

G06F2221/033

PHYSICS

Classification Explorer

H04L63/145

ELECTRICITY

Classification Explorer

H04L63/10

ELECTRICITY

Classification Explorer

H04L61/5014

ELECTRICITY

Classification Explorer

G06F21/572

PHYSICS

Classification Explorer

H04L63/20

ELECTRICITY

Classification Explorer

H04L63/1425

ELECTRICITY

Classification Explorer

H04W12/128

ELECTRICITY

Classification Explorer

H04L63/0263

ELECTRICITY

International classification

Classification Explorer

G06F21/57

PHYSICS

Classification Explorer

H04L12/28

ELECTRICITY

Classification Explorer

H04L61/5014

ELECTRICITY

Classification Explorer

H04L9/40

ELECTRICITY

Abstract

Claims

Description