Systems and methods for IP source address spoof detection
First Claim
1. A method for detecting an attack on a network device, the method comprising:
- aggregating a plurality of source Internet Protocol (IP) addresses included in a plurality of communications received at an interface device to a network;
creating a classifier comprising at least one decision tree defining a range of source IP addresses of the received plurality of communications, wherein the range of source IP addresses identifies which source IP addresses are not suspect;
verifying the classifier, wherein verifying the classifier comprises;
applying, to the classifier, a second plurality of source IP addresses from a second plurality of communications;
calculating a value resulting from applying, to the classifier, the second plurality of source IP addresses from the second plurality of communications to determine whether the second plurality of source IP addresses are within the range of source IP addresses defined by the classifier;
receiving a communication comprising a particular source IP address;
applying the particular source IP address to the at least one decision tree of the classifier to determine if the particular source IP address is within the range of source IP addresses defined by the classifier;
when the particular source IP address is not within the range of source IP addresses defined by the classifier, determining that the communication is a suspect communication; and
executing a mitigating procedure on the suspect communication.
1 Assignment
0 Petitions
Accused Products
Abstract
Aspects of the present disclosure involve systems, methods, computer program products, and the like, for detecting a spoofed source IP address on an incoming communication to any type of network, such as a telecommunications or content delivery network. Each interface to the network may include a classifier that defines or describes source IP addresses that are recognized by the interface as a valid source IP address. If a received communication packet includes a source IP address that is not included or defined by the interface classifier, the packet is considered as a possible spoofed IP address and one or more mitigation techniques may be applied to the incoming packet to prevent an attack on a device or network utilizing the spoofed packet. Such techniques may lessen or prevent an unauthorized access of the device or network or a DDOS attack on the network or device.
-
Citations
18 Claims
-
1. A method for detecting an attack on a network device, the method comprising:
-
aggregating a plurality of source Internet Protocol (IP) addresses included in a plurality of communications received at an interface device to a network; creating a classifier comprising at least one decision tree defining a range of source IP addresses of the received plurality of communications, wherein the range of source IP addresses identifies which source IP addresses are not suspect; verifying the classifier, wherein verifying the classifier comprises; applying, to the classifier, a second plurality of source IP addresses from a second plurality of communications; calculating a value resulting from applying, to the classifier, the second plurality of source IP addresses from the second plurality of communications to determine whether the second plurality of source IP addresses are within the range of source IP addresses defined by the classifier; receiving a communication comprising a particular source IP address; applying the particular source IP address to the at least one decision tree of the classifier to determine if the particular source IP address is within the range of source IP addresses defined by the classifier; when the particular source IP address is not within the range of source IP addresses defined by the classifier, determining that the communication is a suspect communication; and executing a mitigating procedure on the suspect communication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for protection of a telecommunications network, the system comprising:
-
a memory storing instructions; a processor in communication with the memory to execute the instructions, wherein the processor executes a network data aggregator and a classifier; wherein the network data aggregator aggregates a plurality of source Internet Protocol (IP) addresses included in a plurality of communications received at a network; wherein the classifier creator; receives the plurality of source Internet Protocol (IP) addresses included in a plurality of communications from the network data aggregator; and creates a classifier comprising at least one decision tree defining a range of source IP addresses of the received plurality of communications, wherein the range of source IP addresses identifies which source IP addresses are not suspect; and a network interface device that; receives the classifier from the classifier creator; applies a particular source IP address from a suspect communication to the at least one decision tree of the classifier to determine if the particular source IP address is within the range of source IP addresses defined by the classifier; executes a mitigating procedure on the suspect communication when the particular source IP address is not within the range of source IP addresses defined by the classifier; verifies the classifier, wherein verifying the classifier causes the network interface device to; applies, to the classifier, a second plurality of source IP addresses from a second plurality of communications; and calculates a value resulting from applying, to the classifier, the second plurality of source IP addresses from the second plurality of communications to determine whether the second plurality of source IP addresses are within the range of source IP addresses defined by the classifier. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable medium encoded with instructions, executable by a processing device, for operating a component of a telecommunications network, the instructions, when executed by the processing device, cause the processing device to perform the operations of:
-
aggregating a plurality of source Internet Protocol (IP) addresses included in a plurality of communications received at an interface device to a network; creating a classifier comprising at least one decision tree defining a range of source IP addresses of the received plurality of communications, wherein the range of source IP addresses identifies which source IP address are not suspect; verifying the classifier, wherein verifying the classifier comprises; applying, to the classifier, a second plurality of source IP addresses from a second plurality of communications; calculating a value resulting from applying, to the classifier, the second plurality of source IP addresses from the second plurality of communications to determine whether the second plurality of source IP addresses are within the range of source IP addresses defined by the classifier; receiving a communication comprising a particular source IP address; applying the particular source IP address to the at least one decision tree of the classifier to determine if the particular source IP address is within the range of source IP addresses defined by the classifier; when the particular source IP address is not within the range of source IP addresses defined by the classifier, determining that the communication is a suspect communication; and executing a mitigating procedure on the suspect communication. - View Dependent Claims (17, 18)
-
Specification