Techniques for network protection based on subscriber-aware application proxies

US 20070113284A1
Filed: 11/14/2005
Published: 05/17/2007
Est. Priority Date: 11/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a packet switched network at a service gateway , comprising the steps of:

receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;

determining whether an intrusion condition is satisfied based on the suspicious activity data; and

if it is determined that the intrusion condition is satisfied, then responding to the intrusion based at least in part on user data other than the network address data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.

47 Citations

View as Search Results

39 Claims

1. A method for protecting a packet switched network at a service gateway , comprising the steps of:
- receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
  
  determining whether an intrusion condition is satisfied based on the suspicious activity data; and
  
  if it is determined that the intrusion condition is satisfied, then responding to the intrusion based at least in part on user data other than the network address data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method as recited in claim 1, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows that are started within a particular period of time; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows that are started within the particular period of time exceeds a threshold rate.
  - 3. A method as recited in claim 1, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows for which there is no acknowledgement message from the user; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows for which there is no acknowledgement message from the user exceeds at least one of a threshold number and a threshold percentage of a total number of open data packet flows.
  - 4. A method as recited in claim 1, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows for which there is no acknowledgement message from the content server; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows for which there is no acknowledgement message from the content server exceeds at least one of a threshold number and a threshold percentage of a total number of open data packet flows.
  - 5. A method as recited in claim 1, said step of responding to the intrusion further comprising the step of sending a message to the network access server based on the NAS data to terminate communications from the particular user.
  - 6. A method as recited in claim 5, said step of sending the message to the network access server further causing the network access server to free resources allocated to the user in an access network between the user and the network access server.
  - 7. A method as recited in claim 6, said step of sending the message to the network access server comprising the step of sending a Remote Access Dial-in User Service (RADIUS) Packet of Disconnect (POD) to the network access server, whereby the network access server tears down a communication path in the access network and frees resources in the access network allocated to the user.
  - 8. A method as recited in claim 1, said step of responding to the intrusion further comprising the step of sending a message based on the subscriber identifier data to a billing agent that is involved in determining charges for a particular user for causing the billing agent to penalize the particular user.
  - 9. A method as recited in claim 8, wherein the billing agent causes a message that requests the particular user to cease undesired activity to be sent to the particular user outside the packet-switched network.
  - 10. A method as recited in claim 8, wherein the billing agent causes the particular user to lose authorization for access to a set of one or more content servers.
  - 11. A method as recited in claim 8, wherein the billing causes an excess fee to be charged to the particular user.
  - 12. A method as recited in claim 1, said step of responding to the intrusion further comprising the steps of:
    - determining whether a logon message is received for authorization of access for the packet-switched network, which logon message includes the subscriber identifier data; and
      
      if the logon message that includes the subscriber identifier data is received, then not granting access for the packet-switched network.
  - 13. A method as recited in claim 12, said step of not granting access for the packet-switched network further comprising the step of not granting access for the packet-switched network during a particular penalty period of time.
  - 14. A method as recited in claim 1, said step of responding to the intrusion further comprising the steps of:
    - determining whether a logon message is received for authorization of access for the packet-switched network, which logon message includes the subscriber identifier data; and
      
      if the logon message that includes the subscriber identifier data is received, then forwarding the message to a particular server to generate a special response for the particular user.
  - 15. A method as recited in claim 1, said step of responding to the intrusion further comprising the step of deleting all data flows associated with the same subscriber identifier.

16. A method for responding to intrusions on a packet switched network, comprising the steps of:
- receiving, at a billing agent server that provides payment information for a remote user who accesses target network from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and
  
  in response to receiving the malicious subscriber data, penalizing the particular user by performing at least one of;
  
  causing the particular user to be removed from a list of authorized users of the target network;
  
  sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and
  
  causing a penalty fee to be charged to an account associated with the particular user.
- View Dependent Claims (17)
- - 17. A method as recited in claim 16, further comprising:
    - determining whether a penalty period has expired; and
      
      if it is determined that a penalty period has expired, then causing the particular user to be restored to a list of authorized users of the target network.

18. An apparatus for protecting a packet switched network at a service gateway, comprising:
- means for receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
  
  means for determining whether an intrusion condition is satisfied based on the suspicious activity data; and
  
  means for responding to the intrusion based at least in part on user data other than the network address data, if it is determined that the intrusion condition is satisfied.

19. An apparatus for responding to intrusions on a packet switched network, comprising:
- means for receiving, at a billing agent server that provides payment information for a remote user who accesses target network from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and
  
  means for penalizing the particular user in response to receiving the malicious subscriber data by providing at least one of;
  
  means for causing the particular user to be removed from a list of authorized users of the target network;
  
  means for sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and
  
  means for causing a penalty fee to be charged to an account associated with the particular user.

20. An apparatus for protecting a packet switched network at a service gateway server in a communication path on the packet switched network between a network access server and a content server on the packet switched network comprising:
- a network interface that is coupled to the packet switched network for communicating therewith a data packet;
  
  one or more processors;
  
  a computer-readable medium; and
  
  one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of;
  
  receiving user data that includes subscriber identifier data, network address data, NAS data, flow list data and suspicious activity data, determining whether an intrusion condition is satisfied based on the suspicious activity data; and
  
  if it is determined that the intrusion condition is satisfied, then responding to the intrusion based at least in part on user data other than the network address data. wherein the subscriber identifier data indicates a unique identifier for a particular user, the network address data indicates a network address for a host used by the particular user, the NAS data indicates an identifier for the network access server, the flow list data indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and the suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 21. An apparatus as recited in claim 20, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows that are started within a particular period of time; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows that are started within the particular period of time exceeds a threshold rate.
  - 22. An apparatus as recited in claim 20, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows for which there is no acknowledgement message from the user; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows for which there is no acknowledgement message from the user exceeds at least one of a threshold number and a threshold percentage of a total number of open data packet flows.
  - 23. An apparatus as recited in claim 20, wherein:
    - the property that indicates suspicious activity is a number of the open data packet flows for which there is no acknowledgement message from the content server; and
      
      said step of determining whether an intrusion condition is satisfied comprises determining whether the number of the open data packet flows for which there is no acknowledgement message from the content server exceeds at least one of a threshold number and a threshold percentage of a total number of open data packet flows.
  - 24. An apparatus as recited in claim 20, said step of responding to the intrusion further comprising the step of sending a message to the network access server based on the NAS data to terminate communications from the particular user.
  - 25. An apparatus as recited in claim 24, said step of sending the message to the network access server further causing the network access server to free resources allocated to the user in an access network between the user and the network access server.
  - 26. An apparatus as recited in claim 25, said step of sending the message to the network access server comprising the step of sending a Remote Access Dial-in User Service (RADIUS) Packet of Disconnect (POD) to the network access server, whereby the network access server tears down a communication path in the access network and frees resources in the access network allocated to the user.
  - 27. An apparatus as recited in claim 20, said step of responding to the intrusion further comprising the step of sending a message based on the subscriber identifier data to a billing agent that is involved in determining charges for a particular user for causing the billing agent to penalize the particular user.
  - 28. An apparatus as recited in claim 27, wherein the billing agent causes a message that requests the particular user to cease undesired activity to be sent to the particular user outside the packet-switched network.
  - 29. An apparatus as recited in claim 27, wherein the billing agent causes the particular user to lose authorization for access to a set of one or more content servers.
  - 30. An apparatus as recited in claim 27, wherein the billing causes an excess fee to be charged to the particular user.
  - 31. An apparatus as recited in claim 20, said step of responding to the intrusion further comprising the steps of:
    - determining whether a logon message is received for authorization of access for the packet-switched network, which logon message includes the subscriber identifier data; and
      
      if the logon message that includes the subscriber identifier data is received, then not granting access for the packet-switched network.
  - 32. An apparatus as recited in claim 31, said step of not granting access for the packet-switched network further comprising the step of not granting access for the packet-switched network during a particular penalty period of time.
  - 33. An apparatus as recited in claim 20, said step of responding to the intrusion further comprising the steps of:
    - determining whether a logon message is received for authorization of access for the packet-switched network, which logon message includes the subscriber identifier data; and
      
      if the logon message that includes the subscriber identifier data is received, then forwarding the message to a particular server to generate a special response for the particular user.
  - 34. An apparatus as recited in claim 20, said step of responding to the intrusion further comprising the step of deleting all data flows associated with the same subscriber identifier.

35. An apparatus for responding to intrusions on a packet switched network at a billing agent server that provides payment information for a remote user who accesses the packet switched network, comprising:
- a network interface that is coupled to the packet switched network for communicating therewith a data packet;
  
  one or more processors;
  
  a computer-readable medium; and
  
  one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of;
  
  receiving, from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the packet switched network; and
  
  in response to receiving the malicious subscriber data, penalizing the particular user by performing at least one of;
  
  causing the particular user to be removed from a list of authorized users of the packet switched network;
  
  sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the packet switched network; and
  
  causing a penalty fee to be charged to an account associated with the particular user.
- View Dependent Claims (36)
- - 36. An apparatus as recited in claim 35, wherein execution of the one or more sequences of instructions further causes the one or more processors to perform the steps of:
    - determining whether a penalty period has expired; and
      
      if it is determined that a penalty period has expired, then causing the particular user to be restored to a list of authorized users of the target network.

37. A computer-readable medium carrying one or more sequences of instructions for protecting a packet switched network at a service gateway, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving user data at a gateway server in a communication path on a packet switched network between a network access server and a content server, wherein the user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, wherein an open data packet flow comprises a data packet that indicates a start of a series of data packets that pass through the gateway server for communications between the user and the content server without a corresponding termination of the series of data packets between the user and the content server, and suspicious activity data that indicates a value for a property of the open data packet flows that indicates suspicious activity;
  
  determining whether an intrusion condition is satisfied based on the suspicious activity data; and
  
  if it is determined that the intrusion condition is satisfied, then responding to the intrusion based at least in part on user data other than the network address data.

38. A computer-readable medium carrying one or more sequences of instructions for responding to intrusions on a packet switched network, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving, at a billing agent server that provides payment information for a remote user who accesses target network from a subscriber-aware service gateway server, malicious subscriber data that includes subscriber identifier data that indicates a unique identifier for a particular user and intrusion data that indicates the particular user is associated with an intrusion on the target network; and
  
  in response to receiving the malicious subscriber data, penalizing the particular user by performing at least one of;
  
  causing the particular user to be removed from a list of authorized users of the target network;
  
  sending an out-of-band message to the particular user to warn the particular user to cease the intrusion on the target network; and
  
  causing a penalty fee to be charged to an account associated with the particular user.
- View Dependent Claims (39)
- - 39. A computer-readable medium as recited in claim 38, wherein execution of the one or more sequences of instructions further causes the one or more processors to perform the steps of:
    - determining whether a penalty period has expired; and
      
      if it is determined that a penalty period has expired, then causing the particular user to be restored to a list of authorized users of the target network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Batz, Robert, Bordonaro, Frank, Menditto, Louis, O'Rourke, Christopher

Granted Patent

US 8,266,696 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Techniques for network protection based on subscriber-aware application proxies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for network protection based on subscriber-aware application proxies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links