Dynamic traffic steering system and method in a network

US 10,033,751 B2
Filed: 02/21/2014
Issued: 07/24/2018
Est. Priority Date: 02/22/2013
Status: Active Grant

First Claim

Patent Images

1. A security system for use in a communications network, said network comprising means to allow a plurality of devices to communicate over the network;

a security agent configured on at least one device and adapted to communicate with the security system;

said system comprising;

a security analytics module configured to store traffic patterns to and from devices in the network, the patterns used as baseline reference traffic patterns for detecting traffic to or from other devices; and

a steering control module configured to perform dynamic intelligent traffic steering from the device based on analysis of data traffic on the network or on the device by (i) storing a history for the device based on activity of the device over time, (ii) determining whether activity of the device matches out-of-the-ordinary characteristic patterns based on the baseline reference traffic patterns, (iii) assigning to the device a first policy configured for a matched characteristic pattern, and (iv) assigning a second policy to the device in response to and based on an analysis of behavioural changes of the device;

wherein the device'"'"'s propensity to exhibit suspicious or normal behaviour in the past influences which policy is assigned to the device, and wherein the steering decision is made to select a channel on a per flow basis based on the policy assigned to the device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a security system and method for use in a communications network, said network comprising means to allow a plurality of devices to communicate over the network; a security agent configured on at least one device and adapted to communicate with the security system; said system comprising: means for performing dynamic intelligent traffic steering from the device based on analysis of data traffic on the network or on the device, wherein the steering decision can be made to select a channel on a per flow basis.

32 Citations

View as Search Results

23 Claims

1. A security system for use in a communications network, said network comprising means to allow a plurality of devices to communicate over the network;
- a security agent configured on at least one device and adapted to communicate with the security system;
  
  said system comprising;
  
  a security analytics module configured to store traffic patterns to and from devices in the network, the patterns used as baseline reference traffic patterns for detecting traffic to or from other devices; and
  
  a steering control module configured to perform dynamic intelligent traffic steering from the device based on analysis of data traffic on the network or on the device by (i) storing a history for the device based on activity of the device over time, (ii) determining whether activity of the device matches out-of-the-ordinary characteristic patterns based on the baseline reference traffic patterns, (iii) assigning to the device a first policy configured for a matched characteristic pattern, and (iv) assigning a second policy to the device in response to and based on an analysis of behavioural changes of the device;
  
  wherein the device'"'"'s propensity to exhibit suspicious or normal behaviour in the past influences which policy is assigned to the device, and wherein the steering decision is made to select a channel on a per flow basis based on the policy assigned to the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 23)
- - 2. The security system of claim 1 comprising means to dynamically control which user device data communications are steered via a particular path and/or based on information received from at least one security agent by selecting a channel for a particular flow.
  - 3. The security system of claim 1 comprising means to perform control communications to the security agent to implement control measures, including targeted traffic steering to direct which user device data communications are sent on a particular path.
  - 4. The security system of claim 1 comprising means for applying other intelligent dynamic control means to block and/or redirect such communications/traffic:
    - wherein the control communications comprises means for blocking enterprise traffic and/or internet traffic to/from the device, or blocking traffic for a particular user device for a particular service, for a particular application, for a particular protocol or on a particular session whilst allowing other traffic.
  - 5. The security system as claimed in claim 1 comprising a dedicated secure control and/or communication channel between the security agent and the security system.
  - 6. The security system of claim 1 comprising a dedicated secure control and/or communication channel between the security agent and the security system;
    - wherein the dedicated secure control and communication channel comprises a VPN tunnel.
  - 7. The security system of claim 1 comprising a dedicated secure control and/or communication channel between the security agent and the security system, wherein the dedicated secure control and/or communication channel comprises a plurality of tunnels, each tunnel is configured for a different service.
  - 8. The security service of claim 1 comprising a dedicated secure control and/or communication channel between the security agent and the security system, wherein the dedicated secure control and/or communication channel comprises a plurality of tunnels, each tunnel is configured for a different service and wherein a first tunnel is configured for enterprise services, a second tunnel is configured to direct traffic to a network security service and a third un-tunnelled path is for general internet traffic.
  - 9. The security system of claim 1 wherein the security agent is configured to determine a flow identifier for each packet sent via a VPN service, and further configured to determine a gateway or tunnel associated with the flow identifier;
    - wherein the security agent steers traffic onto a tunnel based on the determined flow identifier.
  - 10. The security system of claim 1 wherein the security agent is configured to determine a flow identifier for each packet sent via a VPN service, and further configured to determine a gateway or tunnel associated with the flow identifier;
    - and wherein the security agent is configured to make steering decisions about traffic dynamically either in response to traffic type, originating application, general security threat levels prevalent at the time or other factors by steering the traffic to the appropriate VPN tunnel.
  - 11. The security system claim 1 comprising means to control the dynamic traffic steering by communication with the security agent based on said analysis and use of DNS communications.
  - 12. The security system of claim 1 comprising means to control the dynamic traffic steering by communication with the security agent based on said analysis and use of DNS communications in conjunction with control messages.
  - 13. The security system of claim 1 wherein the data traffic comprises internet or IP traffic.
  - 14. The security system of claim 1 wherein the security agent is adapted to perform packet inspection and filtering on the device, determining the protocol and applying policy control on the device.
  - 15. The security system of claim 1 comprising means for implementing at least one policy wherein the policy comprises a rule set and means for associating a subscriber device with the policy:
    - wherein the rule set is based on observed behaviour of the device by the security system using a security analytics module.
  - 16. The security system of claim 1 wherein a rule set is pushed as a control message by the system to the security agent on the device independently of and without requiring subscriber policies to be provisioned:
    - wherein a device is dynamically assigned to a policy based on device behavioural analysis and/or filtering by the security system.
  - 17. The security system of claim 1 wherein a policy based rule set or an alternative rule set communicated to the security agent on the device comprises dynamic traffic steering or communications/traffic blocking and/or redirection.
  - 18. The security system of claim 1 wherein the system is adapted to determine that a device activity matches normal characteristic patterns and assigns a policy to that device configured for said matched characteristic pattern.
  - 19. The security system of claim 1 wherein the system is adapted to determine that a device is diverging from a normal characteristic pattern to an unknown pattern and assigns a policy to that device configured for said matched unknown characteristic pattern.
  - 20. The security system of claim 1 wherein the security agent is adapted to generate network flow records comprising statistics for traffic to or from the device.
  - 21. The security system of claim 1 wherein the security agent is adapted to generate network flow records comprising statistics for traffic to or from the device and the security agent is adapted to generate network event records comprising statistics or other information for messaging traffic or events pertaining to the user device, including statistics for SMS events, and is adapted to send the records to the security system.
  - 23. The security system of claim 1 wherein the data traffic comprises messaging traffic or communication.

22. A method of providing security in a communications network, said network comprising means to allow a plurality of devices to communicate over the network;
- a security agent configured on at least one device and adapted to communicate with the security system;
  
  said method comprising;
  
  performing dynamic intelligent traffic steering from the device based on analysis of data traffic on the network or on the device, wherein the analysis of the data traffic includes;
  
  storing traffic patterns to and from devices in the network, the patterns used as baseline reference traffic patterns for detecting traffic to or from other devices;
  
  storing a history for the device based on activity of the device over time;
  
  determining whether activity of the device matches out-of-the-ordinary characteristic patterns based on the baseline reference traffic patterns;
  
  assigning to the device a first policy configured for a matched characteristic pattern, the device'"'"'s propensity to exhibit suspicious or normal behaviour in the past influencing which policy is assigned to the device; and
  
  assigning a second policy to the device in response to and based on an analysis of behavioural changes of the device,and wherein the steering decision is made to select a channel on a per flow basis based on the policy assigned to the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adaptive Mobile Security Ltd. (Enea AB)
Original Assignee
Adaptive Mobile Security Ltd. (Enea AB)
Inventors
Donnelly, Darrel, Dillon, Brendan, Donnelly, Jim, Carr, Hugh
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US14/770,086
Publication Number

US 20160006755A1
Time in Patent Office

1,614 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

Dynamic traffic steering system and method in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic traffic steering system and method in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links