Techniques for network protection based on subscriber-aware application proxies
First Claim
1. A method for protecting a packet switched network at a service gateway , comprising the steps of:
- receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
determining whether an intrusion condition is satisfied based on the suspicious activity data; and
if it is determined that the intrusion condition is satisfied, then responding to the intrusion based at least in part on user data other than the network address data.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.
47 Citations
39 Claims
-
1. A method for protecting a packet switched network at a service gateway , comprising the steps of:
-
receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
determining whether an intrusion condition is satisfied based on the suspicious activity data; and
if it is determined that the intrusion condition is satisfied, then responding to the intrusion based at least in part on user data other than the network address data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for responding to intrusions on a packet switched network, comprising the steps of:
-
receiving, at a billing agent server that provides payment information for a remote user who accesses target network from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and
in response to receiving the malicious subscriber data, penalizing the particular user by performing at least one of;
causing the particular user to be removed from a list of authorized users of the target network;
sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and
causing a penalty fee to be charged to an account associated with the particular user. - View Dependent Claims (17)
-
-
18. An apparatus for protecting a packet switched network at a service gateway, comprising:
-
means for receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
means for determining whether an intrusion condition is satisfied based on the suspicious activity data; and
means for responding to the intrusion based at least in part on user data other than the network address data, if it is determined that the intrusion condition is satisfied.
-
-
19. An apparatus for responding to intrusions on a packet switched network, comprising:
-
means for receiving, at a billing agent server that provides payment information for a remote user who accesses target network from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and
means for penalizing the particular user in response to receiving the malicious subscriber data by providing at least one of;
means for causing the particular user to be removed from a list of authorized users of the target network;
means for sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and
means for causing a penalty fee to be charged to an account associated with the particular user.
-
-
20. An apparatus for protecting a packet switched network at a service gateway server in a communication path on the packet switched network between a network access server and a content server on the packet switched network comprising:
-
a network interface that is coupled to the packet switched network for communicating therewith a data packet;
one or more processors;
a computer-readable medium; and
one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of;
receiving user data that includes subscriber identifier data, network address data, NAS data, flow list data and suspicious activity data, determining whether an intrusion condition is satisfied based on the suspicious activity data; and
if it is determined that the intrusion condition is satisfied, then responding to the intrusion based at least in part on user data other than the network address data. wherein the subscriber identifier data indicates a unique identifier for a particular user, the network address data indicates a network address for a host used by the particular user, the NAS data indicates an identifier for the network access server, the flow list data indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and the suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. An apparatus for responding to intrusions on a packet switched network at a billing agent server that provides payment information for a remote user who accesses the packet switched network, comprising:
-
a network interface that is coupled to the packet switched network for communicating therewith a data packet;
one or more processors;
a computer-readable medium; and
one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of;
receiving, from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the packet switched network; and
in response to receiving the malicious subscriber data, penalizing the particular user by performing at least one of;
causing the particular user to be removed from a list of authorized users of the packet switched network;
sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the packet switched network; and
causing a penalty fee to be charged to an account associated with the particular user. - View Dependent Claims (36)
-
-
37. A computer-readable medium carrying one or more sequences of instructions for protecting a packet switched network at a service gateway, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
determining whether an intrusion condition is satisfied based on the suspicious activity data; and
if it is determined that the intrusion condition is satisfied, then responding to the intrusion based at least in part on user data other than the network address data.
-
-
38. A computer-readable medium carrying one or more sequences of instructions for responding to intrusions on a packet switched network, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving, at a billing agent server that provides payment information for a remote user who accesses target network from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and
in response to receiving the malicious subscriber data, penalizing the particular user by performing at least one of;
causing the particular user to be removed from a list of authorized users of the target network;
sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and
causing a penalty fee to be charged to an account associated with the particular user. - View Dependent Claims (39)
-
Specification