System and method for detecting and preventing denial of service attacks in a communications system

US 20060036727A1
Filed: 08/13/2004
Published: 02/16/2006
Est. Priority Date: 08/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting attacks in a communications network, the method comprising:

calculating first and second traffic volumes based on a plurality of messages received at a first time and a second time, respectively;

calculating an average acceleration based on the first and second traffic volumes;

identifying whether the average acceleration has crossed a threshold; and

servicing the plurality of messages only if the average acceleration has not crossed the threshold.

View all claims

19 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are provided for use in detecting and preventing attacks in a communications network. In one example, the method includes calculating first and second traffic volumes based on messages received at a first time and a second time, respectively. An average acceleration is calculated based on the first and second traffic volumes, and the method identifies whether the average acceleration has crossed a threshold. The messages are serviced only if the average acceleration has not crossed the threshold.

Citations

34 Claims

1. A method for detecting attacks in a communications network, the method comprising:
- calculating first and second traffic volumes based on a plurality of messages received at a first time and a second time, respectively;
  
  calculating an average acceleration based on the first and second traffic volumes;
  
  identifying whether the average acceleration has crossed a threshold; and
  
  servicing the plurality of messages only if the average acceleration has not crossed the threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein calculating the average acceleration includes calculating a first acceleration based on the first and second traffic volumes, and calculating the average acceleration based at least partly on the first acceleration.
  - 3. The method of claim 2 further comprising:
    - calculating a third traffic volume based on a plurality of messages received at a third time;
      
      calculating a second acceleration based on the second and third traffic volumes; and
      
      calculating the average acceleration based on the first acceleration and the second acceleration.
  - 4. The method of claim 2 wherein calculating the first acceleration includes using a sensitivity factor to enable adjustment of the first acceleration calculation.
  - 5. The method of claim 1 further comprising:
    - determining whether at least a portion of the plurality of messages received at the first and second times are authentic; and
      
      rejecting each message that is not authentic.
  - 6. The method of claim 5 wherein determining whether at least the portion of the plurality of messages received at the first and second times are authentic includes sending a message to a source designated by each message to verify whether the source is correct.
  - 7. The method of claim 1 further comprising, if the average acceleration has crossed the threshold, blocking at least a portion of the messages.
  - 8. The method of claim 7 further comprising:
    - identifying at least one source of the messages, wherein the at least one source is sending a majority of the messages that cause the average acceleration to cross the threshold; and
      
      blocking the messages only from the at least one source.
  - 9. The method of claim 1 wherein traffic comprising the first and second traffic volumes is directed to a single device, and wherein the average acceleration is calculated on a device by device basis for a plurality of devices.

10. A method for detecting denial of service attacks against one of a plurality of network devices, the method comprising:
- sampling a current traffic volume V_nfor a network device at each of a plurality of times “
  
  n”
  
  ;
  
  calculating an acceleration for each of the plurality of times, wherein each acceleration A_nis based on a previous acceleration A_n-1, the current traffic volume V_n, and a previous traffic volume V_n-1;
  
  calculating an average acceleration A_avgbased on each of the calculated accelerations A_n; and
  
  determining whether A_avghas crossed a threshold.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 wherein each acceleration A_nis calculated as A_n=(1−
    - α
      
      ) A_n-1+α
      
      (V_n−
      
      V_n-1), wherein a is a sensitivity factor enabling adjustment of the calculation for A_n.
  - 12. The method of claim 11 wherein A_avgis calculated as (sum of each A_n)/n.
  - 13. The method of claim 10 further comprising permitting traffic to reach the network device only if A_avghas not crossed the threshold.
  - 14. The method of claim 13 further comprising, if A_avghas crossed the threshold, blocking at least a portion of the traffic.
  - 15. The method of claim 14 further comprising:
    - identifying one or more sources of the traffic that is causing A_avgto cross the threshold; and
      
      blocking the traffic only from the one or more sources.
  - 16. The method of claim 15 further comprising:
    - determining a trust level of the one or more sources; and
      
      blocking the traffic from the one or more sources only if the traffic'"'"'s behavior deviates from a normal behavior standard by a predefined amount.
  - 17. The method of claim 16 wherein the trust level is selected from a group comprising a no trust level, a low trust level, an identity-based trust level, and a cryptographic trust level.
  - 18. The method of claim 16 wherein the trust level of the source is modified based on at least one of a time or a day.

19. A communications system comprising:
- a network device;
  
  a processor;
  
  a memory accessible to the processor for storing instructions for processing by the processor; and
  
  a plurality of instructions, including;
  
  instructions for calculating first and second traffic volumes based on a plurality of messages destined for the network device and received at a first time and a second time, respectively;
  
  instructions for calculating an average acceleration based on the first and second traffic volumes;
  
  instructions for identifying whether the average acceleration has crossed a threshold; and
  
  instructions for permitting the plurality of messages to reach the network device only if the average acceleration has not crossed the threshold.
- View Dependent Claims (20)
- - 20. The system of claim 19 further comprising:
    - instructions for calculating a third traffic volume based on a plurality of messages received at a third time;
      
      instructions for calculating a first acceleration based on the first and second traffic volumes and a second acceleration based on the second and third traffic volumes; and
      
      instructions for calculating the average acceleration based on the first acceleration and the second acceleration.

21. A system for detecting denial of service attacks against one of a plurality of communication devices, the system comprising:
- a communications channel configured to carry traffic to the device;
  
  a processor accessible to the communications channel;
  
  means for sampling a current traffic volume V_nfor the device at each of a plurality of times “
  
  n”
  
  ;
  
  means for calculating an acceleration for each of the plurality of times, wherein each acceleration A_nis based on a previous acceleration A_n-1, the current traffic volume V_n, and a previous traffic volume V_n-1;
  
  means for calculating an average acceleration A_avgbased on each of the calculated accelerations A_n; and
  
  means for determining whether A_avghas crossed a threshold.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21 wherein each acceleration A_nis calculated as A_n=(1−
    - α
      
      ) A_n-1+α
      
      (V_n−
      
      V_n-1), wherein a is a sensitivity factor enabling adjustment of the calculation for A_n.
  - 23. The system of claim 22 wherein A_avgis calculated as (sum of each A_n)/n.
  - 24. The system of claim 21 wherein the traffic is voice-over-IP traffic.
  - 25. The system of claim 21 wherein the traffic is instant messaging traffic.

26. An architecture for preventing denial of service attacks, the architecture comprising:
- a traffic velocity monitor (TVM) configured to calculate a traffic velocity based on at least one of a source and a destination;
  
  a traffic acceleration monitor (TAM) accessible to the TVM and configured to calculate an average traffic acceleration based on the velocity calculated by the TVM; and
  
  a source filter accessible to at least the TVM, wherein the source filter is configured to block traffic from a source or to a destination identified by the TVM.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The architecture of claim 26 further comprising a spoof detection component configured to identify that a source of a message has been falsified.
  - 28. The architecture of claim 26 further comprising a machine caller detection component configured to identify that a call has been dialed by a machine.
  - 29. The architecture of claim 26 further comprising a fingerprint filter configured to analyze messages from an ongoing communication session to determine if the message characteristics of each message match the message characteristics of at least one party that established the session.
  - 30. The architecture of claim 26 further comprising a hijack detection component configured to determine whether a first message is legitimate by sending a second message to an endpoint from which the first message claims to originate and checking a response received from the endpoint to determine if the response is correct.
  - 31. The architecture of claim 26 further comprising a protocol scrubber configured to filter messages that violate one or more predefined protocols.
  - 32. The architecture of claim 31 wherein the protocol scrubber is further configured to modify a message in order to make the message comply with the one or more predefined protocols.
  - 33. The architecture of claim 26 further comprising a virtual private assistant configured to request a call back number in response to receiving a call.
  - 34. The architecture of claim 26 further comprising a call forwarding component configured to forward messages to a plurality of endpoints.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Sipera Systems Inc (Avaya Incorporated)
Inventors
Joglekar, Sachin, Kurapati, Krishna

Granted Patent

US 7,933,985 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 2463/141 Denial of service attacks a...

H04L 63/1458 Denial of Service

System and method for detecting and preventing denial of service attacks in a communications system

First Claim

19 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting and preventing denial of service attacks in a communications system

First Claim

19 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links