Search

US-20260129060-A1 - NETWORK PROTECTION SYSTEM

US20260129060A1US 20260129060 A1US20260129060 A1US 20260129060A1US-20260129060-A1

Abstract

A network protection system detects harmful agents developed to damage a network using a command and control center method by means of an attacker. The system comprises a processor unit, the processor unit is configured to enable an evaluation of traffic flowing over a networked firewall according to status data, to enable a risk analysis to be made according to the risk status of the flow if the flow includes at least one anomaly controlled within the scope of the status data, to enable the preparation of a report containing a score data at the end of the risk analysis, and to enable the report to be transmitted to a user interface via a communication unit on a remote server.

Inventors

  • Ali Aydin KOC
  • Osman Bahri VARGELOGLU

Assignees

  • DIATTACK YAZILIM BILISIM SIBER GUVENLIK VE DANISMANLIK ANONIM SIRKETI

Dates

Publication Date
20260507
Application Date
20220825
Priority Date
20211229

Claims (6)

  1. 1 . A network protection system for detecting harmful agents developed to harm a network using a command and control center method by means of an attacker, comprising: a processor unit, the processor unit is configured to enable an evaluation of traffic flowing over a networked firewall according to a status data; to enable a risk analysis to be made according to a risk status of a flow if the flow contains at least one anomaly controlled within the scope of the status data; to enable the preparation of a report containing a score data at the end of the risk analysis; and to enable the report to be transmitted to a user interface via a communication unit on a remote server.
  2. 2 . The network protection system according to claim 1 , wherein the status data includes at least one predetermined information to define at least one signaling between the harmful agent and the command control center.
  3. 3 . The network protection system according to claim 1 , wherein the processor unit is configured to evaluate the traffic flowing with predetermined models using statistical and machine learning methods.
  4. 4 . The network protection system according to claim 1 , wherein the processor unit is configured to be connected to at least one database that stores previously detected harmful agent information.
  5. 5 . The network protection system according to claim 1 , wherein the processor unit is configured to compare IP containing the flow with IPs registered in the database during the flow evaluation.
  6. 6 . The network protection system according to claim 1 , wherein the processor unit is configured to record detected anomalies to a memory unit

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application is a national stage entry of International Application No. PCT/TR2022/050912, filed on Aug. 25, 2022, which is based upon and claims foreign priority to Turkey Patent Application No. 2021/021533, filed on Dec. 29, 2021, the entire contents of which are incorporated herein by reference. TECHNICAL FIELD The invention relates to a network protection system for detecting harmful agents developed to damage a network using the command and control center method by means of an attacker. BACKGROUND Firewalls are used to allow the passage of traffic flowing over the said network or to prevent traffic to ensure the security of a network. The said firewalls can be used for both individual and corporate purposes. Firewalls ensure that the packages received on the network are checked whether they go to the places that they should reach in accordance with the previously defined rules. While firewalls allow the passage of packages that comply with the defined rules, they prevent the passage of packages that do not comply with the existing rules. While simpler versions of the firewall are available to individual customers, more complex and systematic versions are used for companies. The firewall, which protects the network or computers on the networks within the company against attacks from the internet, controls network traffic between internal and external networks based on predetermined principles. This ensures that a controlled data flow always takes place. Firewalls allow filtering decisions to be made to determine if data is allowed to pass through and reach the user. These decisions are usually based on rules set by the administrator when installing a computer and firewall. The firewall has changed and developed according to the needs since the first period it was developed. There are three basic types of firewalls belonging to different generations from past to present. These can be listed as first generation package filter firewalls, second generation circuit level firewalls and third generation application level firewalls. First-generation packet filter firewalls include a simple packet filtering technology. Package filter firewalls also allow blocking of packages, etc. When the first generation firewalls were inadequate as a result of network traffic, which became more complicated with the development of technology, a circuit level firewall, also called the second generation, was developed. Second-generation circuit level firewalls can control much more complex network traffic than the first generation in a much healthier and more accurate way. Application-level or proxy-based third-generation firewalls increase security by filtering better during the application phase. Firewalls are expected to continue to change and develop depending on the changing and developing technology. Some of the security threats of computer networks include malware. Cybercriminals control malware-infected machines through a command and control server (C2) and use these machines to steal confidential information, disseminate malware to additional machines, and engage in malicious activities such as phishing within an organization. According to a McAfee report, more than 300,000 new malware formats and variants are created every day. Accordingly, the global annual cost of the cyber-attack on malware reaches up to 600 billion dollars. Therefore, security mechanisms need to be established to protect networks against malware attacks. A command and control server is a computer controlled by a cybercriminal. Command and control servers are used by attackers to maintain communication and to send commands to systems within a target network where malware is compromised, to collect and store stolen data. Establishing communications for the command and control server is a vital step for attackers to access network resources. The attacker starts the first attack by contaminating a computer that can be found behind a firewall. This can be achieved in several ways. One of the aforementioned ways is a phishing email that tricks an employee into clicking a link to a malicious website or opening an attachment that runs malicious code. Another is the vulnerabilities in the browser plug-ins. Another is to download a malicious application. Another is malicious code and infected software that is brought by external devices, for example, a USB stick. The aforementioned paths can be reproduced and may vary depending on the development of technology. When the security of a machine is compromised, the hacker assigns a callback to the infected computer or device to test the new connection. The said callback is known as a signal sent to the command control center from internal systems. Callback means successful contamination and a violated endpoint. The callback is made periodically at a predetermined frequency. The agent ensures that a signal is transmitted to the command control center at predetermined ti