Method for malicious traffic recognition in IP networks with subscriber identification and notification

US 20060174028A1
Filed: 11/21/2005
Published: 08/03/2006
Est. Priority Date: 01/31/2005
Status: Active Grant

First Claim

Patent Images

1. A method for recognizing malicious traffic in a mobile network comprising:

identifying a mobile subscriber by a mobile subscriber identity;

detecting a malicious traffic associated with the mobile subscriber; and

notifying the mobile subscriber of the malicious traffic associated with the mobile subscriber using the mobile subscriber identity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for recognizing malicious traffic in IP networks coupled with an identification and notification of a mobile subscriber generating or receiving malicious traffic is provided. An embodiment of the present invention may include intrusively or non-intrusively monitoring in real-time the mobile subscriber'"'"'s data traffic for malicious traffic as well as mobile security intrusion attempts. Another embodiment of the present invention may report the identification of those mobile subscribers generating or receive malicious traffic to an operator. By knowing the identity of the mobile subscriber, an embodiment of the present invention may block the mobile subscriber'"'"'s subscription or alert the mobile subscriber in question about the malicious traffic. One embodiment of the present invention may be applied to mobile networks where the mobile subscriber'"'"'s identity is known by an unique identifier (e.g., an IMSI or a phone number) and where a notification system may be implemented using a messaging service e.g., SMS, MMS, IM, email, or voice.

60 Citations

View as Search Results

30 Claims

1. A method for recognizing malicious traffic in a mobile network comprising:
- identifying a mobile subscriber by a mobile subscriber identity;
  
  detecting a malicious traffic associated with the mobile subscriber; and
  
  notifying the mobile subscriber of the malicious traffic associated with the mobile subscriber using the mobile subscriber identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein the mobile subscriber identity is selected from a group consisting of an IMSI, a MSIDN, a phone number and a login name.
  - 3. The method of claim 1 wherein the mobile subscriber is notified by a notification.
  - 4. The method of claim 3 wherein the notification is selected from a group consisting of a SMS message, a MMS message, a IM message, a phone call, a Push-to-Talk message, and e-mail message, a voice mail message, a WAP redirection and a HTTP redirection.
  - 5. The method of claim 2 wherein the mobile subscriber identity is captured from a message selected from a group consisting of a PDP context request message, and a RADIUS accounting packet.
  - 6. The method of claim 2 wherein the mobile subscriber identity is queried from a network element selected from a group consisting of a Charging Gateway, a Gateway GRRS Support Node, a Serving GPRS Support Node, a RADIUS server and a Home Location Registry.
  - 7. The method of claim 1 wherein the malicious traffic associated with the mobile subscriber is selected from at least one of a group consisting of a malicious traffic sent by the mobile subscriber and a malicious traffic received by the mobile subscriber.
  - 8. The method of claim 1 further comprising:
    - notifying a content server to create a web page displaying a message based on the malicious traffic associated with the mobile subscriber; and
      
      notifying a redirecting network element to redirect the mobile subscriber to the web server.
  - 9. The method of claim 8 wherein the message displayed is selected from a group consisting of a warning to desist and an instruction to disinfect.
  - 10. The method of claim 8 wherein the redirecting network element is selected from a group consisting of a Domain Name Server and an Internet Protocol router.
  - 11. The method of claim 1, further comprising notifying an administrative system of the malicious traffic associated with the mobile subscriber.
  - 12. The method of claim 1, further comprising notifying a network element which disables a mobile data account of the mobile subscriber temporarily or permanently.
  - 13. The method of claim 1, further comprising sending at least one session detail to a database system when the malicious traffic associated with the mobile subscriber is detected.
  - 14. The method of claim 13 wherein the session details is selected for at least one of a group consisting of a phone number, an IP address, a session timestamp, a number of packets sent, a number of bytes sent, and an identification of malicious activity.
  - 15. The method of claim 1 wherein the notifying step the mobile subscriber uses a first method different from a second method used for communicating malicious traffic.
  - 16. The method of claim 1 wherein the notifying step is carried out by using a method native to an air interface used for sending messages to the mobile subscriber.
  - 17. The method of claim 16 wherein the detecting step is carried outside a radio area network.

18. A method for recognizing malicious traffic in an IP network comprising:
- analyzing an IP packet having a first portion and a second portion, the first portion having a source IP address and a destination IP address;
  
  identifying a mobile subscriber from the second portion of the IP packet;
  
  detecting a malicious traffic associated with the mobile subscriber from the second portion of the IP packet; and
  
  notifying the mobile subscriber of the malicious traffic associated with the mobile subscriber using the second portion of the IP packet.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 19. The method of claim 18 wherein the second portion of the IP packet is selected from a group consisting of a PDP context activation message and a RADIUS accounting packet.
  - 20. The method of claim 18 wherein the mobile subscriber is notified by a notification.
  - 21. The method of claim 20 wherein the notification is selected from a group consisting of a SMS message, a MMS message, a IM message, a phone call, a Push-to-Talk message, an email message, a voice mail message, a WAP redirection and a HTTP redirection.
  - 22. The method of claim 18 wherein the IP packet is sent over an interface selected from a group consisting of a Gn interface, and a Pi interface.
  - 23. The method of claim 18 wherein the malicious traffic associated with the mobile subscriber is selected from at least one of a group consisting of a malicious traffic sent by the mobile subscriber and a malicious traffic received by the mobile subscriber.
  - 24. The method of claim 18 further comprising:
    - notifying a web server to create a web page displaying a message based on the malicious traffic associated with the mobile subscriber; and
      
      notifying a redirecting network element to redirect the mobile subscriber to the web server.
  - 25. The method of claim 24 wherein the message displayed is selected from a group consisting of a warning to desist and an instruction to disinfect.
  - 26. The method of claim 24 wherein the redirecting network element is selected from a group consisting of a Domain Name Server and an Internet Protocol router.
  - 27. The method of claim 18 further comprising notifying an administrative system of the malicious traffic associated with the mobile subscriber.
  - 28. The method of claim 18 further comprising notifying a network element which disables a mobile data account of the mobile subscriber temporarily or permanently.
  - 29. The method of claim 18 further comprising sending at least one session detail to a database system when the malicious traffic associated with the mobile subscriber is detected.
  - 30. The method of claim 29 wherein the session details is selected for at least one of a group consisting of a phone number, an IP address, a session timestamp, a number of packets sent, and a number of bytes sent, and an identification of malicious activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Theta Networks Incorporated
Original Assignee
The Theta Networks Incorporated
Inventors
Zhu, Shouyu

Granted Patent

US 7,676,217 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/232
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Method for malicious traffic recognition in IP networks with subscriber identification and notification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method for malicious traffic recognition in IP networks with subscriber identification and notification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links