Search

EP-4440066-B1 - SYSTEMS AND METHODS FOR HIERARCHICAL DEEP PACKET INSPECTION FOR SCALABLE NETWORK MONITORING AND CYBER SECURITY FUNCTIONS

EP4440066B1EP 4440066 B1EP4440066 B1EP 4440066B1EP-4440066-B1

Inventors

  • SINGHAL, ANIL K.
  • MUNSHI, SANJAY

Dates

Publication Date
20260506
Application Date
20240328

Claims (10)

  1. A system (100) for use in a 5G communications network, comprising: a data processing system (110) comprising one or more processors (118) coupled with memory (120), the data processing system (110) configured to: collect a plurality of network data packets from user equipment, network equipment, or monitoring equipment connected to a 5G communications network (105); determine an order for executing a plurality of layer functions of a network architecture based on a priority for each layer function, wherein the layer functions are hierarchical deep packet inspection, DPI, layer functions distributed across multiple hierarchical layers; execute the plurality of layer functions according to the order using the plurality of network data packets as input to generate network data associated with the 5G communications network (105); and adjust the 5G communications network (105) according to the generated network data, wherein, to execute the plurality of layer functions, the data processing system is further configured to: execute a first quantity of DPI layer functions at a sensor layer of the plurality of layers; execute a second quantity of DPI layer functions at a federated application layer of the plurality of layers, the second quantity less than the first quantity; and execute a third quantity of DPI layer functions at a data lake layer of the plurality of layers, the third quantity less than the second quantity, wherein the order for executing the plurality of layer functions comprises instructions to: first, executing the first quantity of DPI layer functions at the sensor layer; second, executing the second quantity of DPI layer functions at the federated application layer; and third, executing the third quantity of DPI layer functions at the data lake layer.
  2. The system (100) of claim 1, wherein the data processing system is further configured to: execute a machine learning model for the first quantity of layer functions at the first layer.
  3. The system (100) of claim 1, wherein: the first quantity of layer functions at the first layer comprises a traffic analysis layer function, a cloud threat detection layer function, an IDP engine layer function, a knowledge base framework layer function, and a threat intelligence feed layer function; the second quantity of layer functions at the second layer comprises a threat detection layer function, a retrospective analysis layer function, an application mapping layer function, and an asset validation layer function; and the third quantity of layer functions at the third layer comprises an automated response layer function, a telemetry data layer function, and a threat intelligence correlation layer function.
  4. The system (100) of claim 1, wherein the network architecture is a hierarchical adaptive service intelligence, ASI, architecture, a hierarchical deep packet inspection, DPI, architecture, or a combination thereof, wherein the ASI architecture comprises four layers.
  5. The system of claim 1, wherein the data processing system is further configured to: execute each layer function of each quantity of layer functions at each layer separately from other layer functions at each layer.
  6. The system (100) of claim 1, wherein the data processing system is further configured to: determine historical network data of the 5G communications network (105) from a communications network database; and execute the plurality of layer functions according to the order using the historical network data as input to generate second network data associated with the 5G communications network (105); and adjust the 5G communications network (105) according to the second generated network data.
  7. A method performed in a 5G communications network, comprising: collecting, by one or more processors, a plurality of network data packets from user equipment, network equipment, or monitoring equipment connected to a 5G communications network (105); determining, by the one or more processors, an order for executing a plurality of layer functions of a network architecture based on a priority for each layer function, wherein the layer functions are hierarchical deep packet inspection, DPI, layer functions distributed across multiple hierarchical layers; executing, by the one or more processors, the plurality of layer functions according to the order using the plurality of network data packets as input to generate network data associated with the 5G communications network (105); and adjusting, by the one or more processors, the 5G communications network (105) according to the generated network data, further comprising: executing, by the one or more processors, a first quantity of DPI layer functions at a sensor layer of the plurality of layers; executing, by the one or more processors, a second quantity of DPI layer functions at a federated application layer of the plurality of layers, the second quantity less than the first quantity; and executing, by the one or more processors, a third quantity of DPI layer functions at a data lake layer of the plurality of layers, the third quantity less than the second quantity, wherein the order for executing the plurality of layer functions comprises instructions to: first, executing the first quantity of DPI layer functions at the sensor layer; second, executing the second quantity of DPI layer functions at the federated application layer; and third, executing the third quantity of DPI layer functions at the data lake layer.
  8. The method of claim 7, wherein, the method further comprises executing, by the one or more processors, a machine learning model for the first quantity of layer functions at the first layer; wherein, optionally: the first quantity of layer functions at the first layer comprises a traffic analysis layer function, a cloud threat detection layer function, an IDP engine layer function, a knowledge base framework layer function, and a threat intelligence feed layer function; the second quantity of layer functions at the second layer comprises a threat detection layer function, a retrospective analysis layer function, an application mapping layer function, and an asset validation layer function; and the third quantity of layer functions at the third layer comprises an automated response layer function, a telemetry data layer function, and a threat intelligence correlation layer function; and wherein, optionally, the network architecture is a hierarchical adaptive service intelligence ASI, architecture, a hierarchical deep packet inspection, DPI, architecture, or a combination thereof, wherein the ASI architecture comprises four layers.
  9. The method of claim 7, further comprising: executing, by the one or more processors, each layer function of each quantity of layer functions at each layer separately from other layer functions at each layer.
  10. The method of claim 7, further comprising: determining, by the one or more processors, historical network data of the 5G communications network (105) from a communications network database; and executing, by the one or more processors, the plurality of layer functions according to the order using the historical network data as input to generate second network data associated with the 5G communications network (105); and adjusting, by the one or more processors, the 5G communications network (105) according to the second generated network data.

Description

BACKGROUND US 6 816 973 B1 discloses a logic which uses historical network data to prioritize analysis tasks, identify attacks, and disable attack signatures or protocol analyses based on assigned priorities and resource utilization thresholds, enhancing adaptive network security. US 2022/182398 A1 discloses a method which involves monitoring network traffic by receiving a packet, determining its source IP address, and using a database to assign a threat probability. Based on this probability, inspection checks are selected and performed, with the threat probability being adjusted as needed. The system and storage medium perform similar functions, working together to enhance network security by leveraging threat indicators. SUMMARY Aspects of the invention are set out in the appended independent claims. Further aspects and preferred embodiments are defined in the dependent claims. Any aspects, embodiments and examples of the present disclosure which do not fall under the scope of the appended claims do not form part of the invention and are merely provided for illustrative purpose. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings are not intended to be drawn to scale. Like reference numbers and designations in the various drawings indicate like elements. For purposes of clarity, not every component may be labeled in every drawing. In the drawings: FIG. 1 is an illustration of a system hierarchical network monitoring functions, in accordance with an implementation;FIGS. 2A and 2B are illustrations of network architectures, in accordance with an implementation;FIG. 3 is a network architecture for hierarchical network monitoring functions, in accordance with an implementation;FIG. 4 is a network architecture for hierarchical network monitoring functions, in accordance with an implementation;FIG. 5A is a block diagram depicting an implementation of a network environment including a client device in communication with a server device;FIG. 5B is a block diagram depicting a cloud computing environment including a client device in communication with cloud service providers; andFIG. 5C is a block diagram depicting an implementation of a computing device that can be used in connection with the systems depicted in FIGS. 1, 5A and 5B. DETAILED DESCRIPTION In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the scope of the subject matter presented here. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the figures, can be arranged, substituted, combined, and designed in a wide variety of different configurations, all of which are explicitly contemplated and make part of this disclosure. A network monitoring system may execute various layer functions. For example, the network monitoring system may support a network monitoring system method (e.g., deep packet inspection (DPI)) that utilizes various layer functions. The network monitoring system may execute the various layer functions randomly (e.g., without order, all or nothing, all at once, etc.) to monitor a network for attacks (e.g., threats, irregularities, security breaches). However, randomly performing the layer functions may result in increased power consumption, inefficient utilization of network resources, and reduced performance in detecting attacks, among other deficiencies. A computer implementing the systems and methods described herein may overcome the aforementioned technical deficiencies. For example, the computer may operate to determine an order for executing multiple layer functions of a network architecture based on a priority for each layer function. The computer may operate to execute the layer functions according to the order. In some examples, the computer may execute a first number of layer functions at a first layer of a network architecture. The computer may execute a second number of layer functions at a second layer of the network architecture, the second number less than the first number. The computer may execute a third number of layer functions at a third layer of the network architecture, the third number less than the second number. In some cases, the layer functions may include functions to filter noise, detect threats, and allocate resources, among other functionalities. The techniques described herein may result in various advantages over the aforementioned technical deficiencies. For example, adopting the hierarchical execution of layer functions as described herein for a network monitoring system may allow for reduced hardware (e.g., reduced rack units), power consumption by the