The present invention relates to a method and a device for determining a malicious workload pattern. It further relates to a computer program product enabling to perform a method for detecting a malicious workload pattern. A malicious workload pattern is a workload pattern that does not show typical characteristics of a normal or predetermined operation of a system.
Reliability and high availability are of great importance for services in information technology. Often services are provided for a plurality of applications or clients and are accessed via a network system. Resources and devices that either provide the resources (server, storage devices, databases etc.) or provide access to the resources (routers, switches, gateways, transmission lines etc.) are thereby shared among a plurality of users. In certain situations, the resource demand might exceed the capability of one or more of the devices. Such overload situations may temporarily, or even for a continuing period of time, lead to service failure. It is therefore an important task to detect such overload situations or, even better, to detect the emergence of overload situations so as to be able to react in advance.
Overload situations can be recognized by analyzing the workload of a device. If an actual workload deviates from the typical workload of a device operating under normal conditions it is considered to be a malicious or problematic workload being indicative of an overload or an emerging overload situation.
According to WO 2004/070509 A2 the workload within a network can, for example, be defined as the number of a certain type of accesses to a device per time interval, for example usage of a port over TCP/IP (transport control protocol/internet protocol). The workload is detected to be malicious if an actual workload exceeds a certain threshold representing an average workload. However, reducing a complex workload situation to the rate of usage of a device might be appropriate to detect some problematic situations, but is in general too simplified to detect others.
Other approaches to detect malicious workloads are therefore particularly focused on the content of requests, for example as described in US 2004/181684, where malicious code patterns are searched for in control and data traffic. Such methods are useful in the context of network security since they are able to detect so-called worm or virus intrusions into a system. Worms and viruses are designed to replicate themselves and may, if not suppressed, therefore lead to an overload situation, sometimes called a denial of service attack (DoS). However, workload analysis based on the content of traffic is only successful if code patterns of dangerous traffic are known and is also more time-consuming. Also, the only malicious workload situations that are detected are those caused by an illegal intrusion into the system, while other malicious workload situations are not detected, even if also leading to the failure of a service.
It is therefore a challenge to provide a method for detecting a malicious workload more effectively and more independent of its origin. It is furthermore a challenge to provide a device and a computer program product for detecting a malicious workload more effectively and more independent of its origin.