Distributed Stateful Intrusion Detection for Voice Over IP

US 20090070875A1
Filed: 09/12/2007
Published: 03/12/2009
Est. Priority Date: 09/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising generating a signal that indicates a potential intrusion when a protocol fails to enter a first state at a first node within δ

seconds of said protocol entering a second state at a second node, wherein δ

is a positive real number.

View all claims

26 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems without an attack signature database. The illustrative embodiment is based on two observations: (1) various VoIP-related protocols are simple enough to be represented by a finite-state machine (FSM) of compact size, thereby avoiding the disadvantages inherent in signature-based intrusion-detection systems.; and (2) there exist intrusions that might not be detectable locally by the individual finite-state machines (FSMs) but that can be detected with a global (or distributed) view of all the FSMs. The illustrative embodiment maintains a FSM for each session/node/protocol combination representing the allowed (or “legal”) states and state transitions for the protocol at that node in that session, as well as a “global” FSM for the entire session that enforces constraints on the individual FSMs and is capable of detecting intrusions that elude the individual FSMs.

Citations

20 Claims

1. A method comprising generating a signal that indicates a potential intrusion when a protocol fails to enter a first state at a first node within δ
- seconds of said protocol entering a second state at a second node, wherein δ
  
  is a positive real number.
- View Dependent Claims (2, 3, 4, 5, 19, 20)
- - 2. The method of claim 1 wherein said first state corresponds to a state S₁of a first finite-state machine for said protocol and said first node, and wherein said second state corresponds to a state S₂of a second finite-state machine for said protocol and said second node.
  - 3. The method of claim 2 wherein said first finite-state machine represents all allowed states and state transitions for said protocol at said first node, and wherein said second finite-state machine represents all allowed states and state transitions for said protocol at said second node.
  - 4. The method of claim 1 further comprising blocking a subsequent message from reaching its destination in response to the generation of said signal.
  - 5. The method of claim 1 wherein the value of δ
    - is based on at least one of said first state and said second state.
  - 19. The method of claim 1 wherein said first node and said second node participate in a session and communicate via said protocol within said session.
  - 20. The method of claim 19 wherein said signal identifies at least one node that participates in said session.

6. A method comprising generating a signal that indicates a potential intrusion when a protocol enters a first state at a first node within δ
- seconds of said protocol entering a second state at a second node, wherein δ
  
  is a positive real number.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6 wherein the value of δ
    - is based on at least one of said first state and said second state.
  - 8. The method of claim 6 wherein said first node and said second node participate in a session and communicate via said protocol within said session.
  - 9. The method of claim 8 wherein said signal identifies at least one node that participates in said session as a victim of said potential intrusion.
  - 10. The method of claim 8 wherein said session is part of a Voice over Internet Protocol call.

11. A method comprising generating a signal that indicates a potential intrusion when a protocol is in a first state at a first node within δ
- seconds of said protocol being in a second state at a second node, wherein δ
  
  is a positive real number.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 wherein said first state corresponds to a state S₁of a first finite-state machine for said protocol and said first node, and wherein said second state corresponds to a state S₂of a second finite-state machine for said protocol and said second node.
  - 13. The method of claim 12 wherein said first finite-state machine represents all allowed states and state transitions for said protocol at said first node, and wherein said second finite-state machine represents all allowed states and state transitions for said protocol at said second node.
  - 14. The method of claim 11 wherein said first node and said second node participate in a session and communicate via said protocol within said session.
  - 15. The method of claim 11 wherein said signal identifies at least one of said first node and said second node as victims of said potential intrusion.

16. A method comprising:
- establishing a timeout when a protocol enters a first state at a first node; and
  
  generating a signal that indicates a potential intrusion when said timeout expires prior to an indication that said protocol enters a second state at a second node.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16 further comprising blocking a subsequent message from reaching its destination in response to the generation of said signal.
  - 18. The method of claim 16 wherein the magnitude of said timeout is based on at least one of said first state and said second state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arlington Technologies, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
Avaya Technology LLC (Avaya Incorporated)
Inventors
Adhikari, Akshay, Singh, Navjot, Garg, Sachin, Wu, Yu-Sung

Granted Patent

US 9,178,898 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 65/1104 Session initiation protocol...

Distributed Stateful Intrusion Detection for Voice Over IP

First Claim

26 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed Stateful Intrusion Detection for Voice Over IP

First Claim

26 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links