Systems and methods for IP source address spoof detection

US 10,594,706 B2
Filed: 03/24/2017
Issued: 03/17/2020
Est. Priority Date: 01/27/2017
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an attack on a network device, the method comprising:

aggregating a plurality of source Internet Protocol (IP) addresses included in a plurality of communications received at an interface device to a network;

creating a classifier comprising at least one decision tree defining a range of source IP addresses of the received plurality of communications, wherein the range of source IP addresses identifies which source IP addresses are not suspect;

verifying the classifier, wherein verifying the classifier comprises;

applying, to the classifier, a second plurality of source IP addresses from a second plurality of communications;

calculating a value resulting from applying, to the classifier, the second plurality of source IP addresses from the second plurality of communications to determine whether the second plurality of source IP addresses are within the range of source IP addresses defined by the classifier;

receiving a communication comprising a particular source IP address;

applying the particular source IP address to the at least one decision tree of the classifier to determine if the particular source IP address is within the range of source IP addresses defined by the classifier;

when the particular source IP address is not within the range of source IP addresses defined by the classifier, determining that the communication is a suspect communication; and

executing a mitigating procedure on the suspect communication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the present disclosure involve systems, methods, computer program products, and the like, for detecting a spoofed source IP address on an incoming communication to any type of network, such as a telecommunications or content delivery network. Each interface to the network may include a classifier that defines or describes source IP addresses that are recognized by the interface as a valid source IP address. If a received communication packet includes a source IP address that is not included or defined by the interface classifier, the packet is considered as a possible spoofed IP address and one or more mitigation techniques may be applied to the incoming packet to prevent an attack on a device or network utilizing the spoofed packet. Such techniques may lessen or prevent an unauthorized access of the device or network or a DDOS attack on the network or device.

Citations

18 Claims

1. A method for detecting an attack on a network device, the method comprising:
- aggregating a plurality of source Internet Protocol (IP) addresses included in a plurality of communications received at an interface device to a network;
  
  creating a classifier comprising at least one decision tree defining a range of source IP addresses of the received plurality of communications, wherein the range of source IP addresses identifies which source IP addresses are not suspect;
  
  verifying the classifier, wherein verifying the classifier comprises;
  
  applying, to the classifier, a second plurality of source IP addresses from a second plurality of communications;
  
  calculating a value resulting from applying, to the classifier, the second plurality of source IP addresses from the second plurality of communications to determine whether the second plurality of source IP addresses are within the range of source IP addresses defined by the classifier;
  
  receiving a communication comprising a particular source IP address;
  
  applying the particular source IP address to the at least one decision tree of the classifier to determine if the particular source IP address is within the range of source IP addresses defined by the classifier;
  
  when the particular source IP address is not within the range of source IP addresses defined by the classifier, determining that the communication is a suspect communication; and
  
  executing a mitigating procedure on the suspect communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the classifier comprises a decision tree structure with a plurality of decision nodes defining a range of values for a sub-portion of the plurality of source IP addresses.
  - 3. The method of claim 1 wherein the plurality of communications are received at the interface device to the network over a set period of time.
  - 4. The method of claim 1 further comprising:
    - providing the classifier to the interface device to the network; and
      
      verifying the classifier at the interface.
  - 5. The method of claim 1 wherein the value is a calculated percentage, and wherein the classifier is verified when the calculated percentage of the second plurality of source IP addresses from the second plurality of communications is above a threshold value.
  - 6. The method of claim 1 wherein the mitigating procedure comprises forwarding the suspect communication to a networking device of the network to prevent further transmission of the suspect communication through the network.
  - 7. The method of claim 1 wherein the mitigating procedure comprises notifying an access network to the network of the suspect communication.
  - 8. The method of claim 1 wherein the classifier is particular to the interface device of the network and the interface device is a gateway device to the network.

9. A system for protection of a telecommunications network, the system comprising:
- a memory storing instructions;
  
  a processor in communication with the memory to execute the instructions, wherein the processor executes a network data aggregator and a classifier;
  
  wherein the network data aggregator aggregates a plurality of source Internet Protocol (IP) addresses included in a plurality of communications received at a network;
  
  wherein the classifier creator;
  
  receives the plurality of source Internet Protocol (IP) addresses included in a plurality of communications from the network data aggregator; and
  
  creates a classifier comprising at least one decision tree defining a range of source IP addresses of the received plurality of communications, wherein the range of source IP addresses identifies which source IP addresses are not suspect; and
  
  a network interface device that;
  
  receives the classifier from the classifier creator;
  
  applies a particular source IP address from a suspect communication to the at least one decision tree of the classifier to determine if the particular source IP address is within the range of source IP addresses defined by the classifier;
  
  executes a mitigating procedure on the suspect communication when the particular source IP address is not within the range of source IP addresses defined by the classifier;
  
  verifies the classifier, wherein verifying the classifier causes the network interface device to;
  
  applies, to the classifier, a second plurality of source IP addresses from a second plurality of communications; and
  
  calculates a value resulting from applying, to the classifier, the second plurality of source IP addresses from the second plurality of communications to determine whether the second plurality of source IP addresses are within the range of source IP addresses defined by the classifier.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9 wherein the classifier comprises a decision tree structure with a plurality of decision nodes defining a range of values for a sub-portion of the plurality of source IP addresses.
  - 11. The system of claim 9 wherein the plurality of communications are received at the network over a set period of time.
  - 12. The system of claim 9 wherein the classifier is verified when the calculated percentage of the second plurality of source IP addresses from the second plurality of communications is above a threshold value.
  - 13. The system of claim 9 wherein the mitigating procedure comprises forwarding the suspect communication to a networking device of the network to prevent further transmission of the suspect communication through the network.
  - 14. The system of claim 9 wherein the mitigating procedure comprises notifying an access network to the network of the suspect communication.
  - 15. The system of claim 9 wherein the classifier is particular to the network interface device of the network and the network interface device is a gateway device to the network.

16. A non-transitory computer-readable medium encoded with instructions, executable by a processing device, for operating a component of a telecommunications network, the instructions, when executed by the processing device, cause the processing device to perform the operations of:
- aggregating a plurality of source Internet Protocol (IP) addresses included in a plurality of communications received at an interface device to a network;
  
  creating a classifier comprising at least one decision tree defining a range of source IP addresses of the received plurality of communications, wherein the range of source IP addresses identifies which source IP address are not suspect;
  
  verifying the classifier, wherein verifying the classifier comprises;
  
  applying, to the classifier, a second plurality of source IP addresses from a second plurality of communications;
  
  calculating a value resulting from applying, to the classifier, the second plurality of source IP addresses from the second plurality of communications to determine whether the second plurality of source IP addresses are within the range of source IP addresses defined by the classifier;
  
  receiving a communication comprising a particular source IP address;
  
  applying the particular source IP address to the at least one decision tree of the classifier to determine if the particular source IP address is within the range of source IP addresses defined by the classifier;
  
  when the particular source IP address is not within the range of source IP addresses defined by the classifier, determining that the communication is a suspect communication; and
  
  executing a mitigating procedure on the suspect communication.
- View Dependent Claims (17, 18)
- - 17. The non-transitory computer-readable medium of claim 16 wherein the classifier comprises a decision tree structure with a plurality of decision nodes defining a range of values for a sub-portion of the plurality of source IP addresses.
  - 18. The non-transitory computer-readable medium of claim 16 wherein the mitigating procedure comprises forwarding the suspect communication to a networking device of the network to prevent further transmission of the suspect communication through the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Level 3 Communications LLC (Lumen Technologies, Inc.)
Original Assignee
Level 3 Communications LLC (Lumen Technologies, Inc.)
Inventors
Boatwright, Thomas B.
Primary Examiner(s)
Dolly, Kendall

Application Number

US15/468,390
Publication Number

US 20180219882A1
Time in Patent Office

1,089 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Systems and methods for IP source address spoof detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for IP source address spoof detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links