System, Method and Apparatus for Providing Security in an IP-Based End User Device

US 20090094671A1
Filed: 08/09/2008
Published: 04/09/2009
Est. Priority Date: 08/13/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing security in an IP-based end user device, comprising the steps of:

monitoring an application layer, a TCP/IP layer and a datalink layer of the IP-based end user device;

whenever an incoming session is detected, determining whether the incoming session satisfies one or more session security parameters, accepting the incoming session whenever the session security parameter(s) are satisfied, and denying the incoming session whenever the session security parameter(s) are not satisfied; and

whenever an incoming packet is detected, determining whether the incoming packet satisfies one or more packet security parameters, processing the incoming packet whenever the packet security parameter(s) are satisfied, and dropping the incoming packet whenever the packet security parameter(s) are not satisfied.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system, method and apparatus for providing security in an IP-based end user device, such personal computer clients, hard phones, soft phones, cellular phones, dual-mode phones, handheld communication devices, wireless communications devices and any other device capable of supporting real time IP-based applications. An application layer, a TCP/IP layer and a datalink layer of the IP-based end user device are monitored. Whenever an incoming session is detected and analyzed, the incoming session is accepted whenever one or more session security parameter(s) are satisfied and the incoming session is denied whenever the session security parameter(s) are not satisfied. Whenever an incoming packet is detected and analyzed, the incoming packet is processed whenever one or more packet security parameter(s) are satisfied and the incoming packet is dropped whenever the packet security parameter(s) are not satisfied.

Citations

22 Claims

1. A method for providing security in an IP-based end user device, comprising the steps of:
- monitoring an application layer, a TCP/IP layer and a datalink layer of the IP-based end user device;
  
  whenever an incoming session is detected, determining whether the incoming session satisfies one or more session security parameters, accepting the incoming session whenever the session security parameter(s) are satisfied, and denying the incoming session whenever the session security parameter(s) are not satisfied; and
  
  whenever an incoming packet is detected, determining whether the incoming packet satisfies one or more packet security parameters, processing the incoming packet whenever the packet security parameter(s) are satisfied, and dropping the incoming packet whenever the packet security parameter(s) are not satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as recited in claim 1, wherein:
    - the incoming session satisfies the session security parameter(s) whenever an originator of the incoming session is listed in a white list; and
      
      the incoming session does not satisfy the session security parameter(s) whenever the originator of the incoming session is listed in a black list.
  - 3. The method as recited in claim 1, further comprising the step of modifying the incoming packet whenever the incoming packet does not satisfy the packet security parameter(s) and the incoming packet can be corrected.
  - 4. The method as recited in claim 1, further comprising the step of reporting or recording any incoming sessions that do not satisfy the session security parameter(s) and any incoming packets that do not satisfy the packet security parameter(s).
  - 5. The method as recited in claim 1, further comprising the step of whenever an outgoing session is detected, determining whether the outgoing session satisfies the session security parameter(s), allowing the outgoing session whenever the session security parameter(s) are satisfied, and denying the outgoing session whenever the session security parameter(s) are not satisfied.
  - 6. The method as recited in claim 5, wherein the session security parameter(s) comprise one or more incoming session security parameters and one or more outgoing session security parameters.
  - 7. The method as recited in claim 1, further comprising the step of whenever an outgoing packet is detected, determining whether the outgoing packet satisfies the packet security parameter(s), allowing the outgoing packet whenever the packet security parameter(s) are satisfied, and dropping the outgoing packet whenever the packet security parameter(s) are not satisfied.
  - 8. The method as recited in claim 7, wherein the packet security parameter(s) comprise one or more incoming packet security parameters and one or more outgoing packet security parameters.
  - 9. The method as recited in claim 1, wherein the session security parameter(s) and packet security parameters are used to detect a malformed message, a rogue media anomaly, a rogue signaling anomaly, a flood attack, a protocol anomaly, an ARP poison anomaly, a configuration change anomaly, a DNS hijack anomaly, a spam attack, a man-in-the-middle attack, a spoofing attack or a combination thereof.
  - 10. The method as recited in claim 1, wherein:
    - the session security parameter(s) comprise a black list, a white list, a trust score, a session anomaly characteristic or a combination thereof, andthe packet security parameter(s) comprise an incoming session state model, an outgoing session state model, an encryption, a digital signature, one or more rate limits, a packet anomaly characteristic or a combination thereof.
  - 11. The method as recited in claim 1, further comprising the steps of:
    - initializing one or more data structures;
      
      detecting whether one or more Internet Protocol Communication Security Devices (IPCS) are in a path from the IP-based end user device to a network server; and
      
      whenever the IPCS is detected, establishing a secure communication channel with the IPCS, negotiating one or more security keys with the IPCS, obtaining one or more system security parameters from the IPCS, and configuring the IP-based end user device with the obtained system security parameters.
  - 12. The method as recited in claim 11, further comprising the step of receiving one or more new security keys whenever the security key(s) associated with the secure communication channel are changed.
  - 13. The method as recited in claim 12, wherein the security key is changed on a per session or per call basis.
  - 14. The method as recited in claim 1, further comprising the steps of:
    - detecting a user interface command; and
      
      executing the user interface command.
  - 15. The method as recited in claim 14, wherein the user interface command comprises a SPAM command, a TRUST command, an enable encryption command, a disable encryption command, a display information command or a change preferences command.
  - 16. The method as recited in claim 1, wherein:
    - the IP-based end user device comprises a mobile handset, a hard phone, a soft phone, a cellular phone, a dual-mode phone, a handheld communication device, a wireless communication device, a personal computer, a portable computer, a personal data assistant, a multimedia device or a combination thereof, andthe incoming and outgoing packet(s) comprise one or more data packets, voice packets, multimedia packets, signaling packets or a combination thereof.

17. A method for providing security in an IP-based end user device, comprising the steps of:
- detecting whether one or more Internet Protocol Communication Security Devices (IPCS) are in a path from the IP-based end user device to a network server; and
  
  whenever the IPCS is detected, establishing a secure communication channel with the IPCS, negotiating one or more security keys with the IPCS, obtaining one or more system security parameters from the IPCS, and configuring the IP-based end user device with the obtained system security parameters;
  
  monitoring an application layer, a TCP/IP layer and a datalink layer of the IP-based end user device;
  
  whenever an incoming session is detected, determining whether the incoming session satisfies one or more session security parameters, accepting the incoming session whenever the session security parameter(s) are satisfied, and denying the incoming session whenever the session security parameter(s) are not satisfied;
  
  whenever an outgoing session is detected, determining whether the outgoing session satisfies the session security parameter(s), allowing the outgoing session whenever the session security parameter(s) are satisfied, and denying the outgoing session whenever the session security parameter(s) are not satisfied;
  
  whenever an incoming packet is detected, determining whether the incoming packet satisfies one or more packet security parameters, processing the incoming packet whenever the packet security parameter(s) are satisfied, and dropping the incoming packet whenever the packet security parameter(s) are not satisfied;
  
  whenever an outgoing packet is detected, determining whether the outgoing packet satisfies the packet security parameter(s), allowing the outgoing packet whenever the packet security parameter(s) are satisfied, and dropping the outgoing packet whenever the packet security parameter(s) are not satisfied;
  
  whenever a user interface command is detected, executing the user interface command;
  
  wherein the IP-based end user device comprises a mobile handset, a computer, a portable computer, a personal data assistant, a multimedia device or a combination thereof,wherein the session security parameter(s) and packet security parameters are used to detect a malformed message, a rogue media anomaly, a rogue signaling anomaly, a flood attack, a protocol anomaly, an ARP poison anomaly, a configuration change anomaly, a DNS hijack anomaly, a spam attack, a man-in-the-middle attack, a spoofing attack or a combination thereof, andthe incoming and outgoing packet(s) comprise one or more data packets, voice packets, multimedia packets, signaling packets or a combination thereof.

18. A computer program embodied on a computer readable medium for providing security in an IP-based end user device, the computer program comprising:
- a code segment for monitoring an application layer, a TCP/IP layer and a datalink layer of the IP-based end user device;
  
  a code segment for whenever an incoming session is detected, determining whether the incoming session satisfies one or more session security parameters, accepting the incoming session whenever the session security parameter(s) are satisfied, and denying the incoming session whenever the session security parameter(s) are not satisfied; and
  
  a code segment for whenever an incoming packet is detected, determining whether the incoming packet satisfies one or more packet security parameters, processing the incoming packet whenever the packet security parameter(s) are satisfied, and dropping the incoming packet whenever the packet security parameter(s) are not satisfied.

19. An IP-based communications apparatus comprising:
- one or more processors comprising an application layer and a TCP/IP layer;
  
  one or more user interfaces connected to the processor(s);
  
  one or more communication interfaces connected to the processor(s) and comprising a physical layer and a datalink layer;
  
  one or more security modules that;
  
  (a) monitor the application layer, the TCP/IP layer and the datalink layer;
  
  (b) whenever an incoming session is detected, determine whether the incoming session satisfies one or more session security parameters, accept the incoming session whenever the session security parameter(s) are satisfied, and deny the incoming session whenever the session security parameter(s) are not satisfied; and
  
  (c) whenever an incoming packet is detected, determine whether the incoming packet satisfies one or more packet security parameters, process the incoming packet whenever the packet security parameter(s) are satisfied, and drop the incoming packet whenever the packet security parameter(s) are not satisfied.
- View Dependent Claims (20, 21)
- - 20. The apparatus as recited in claim 19, wherein:
    - the apparatus comprises a mobile handset, a computer, a portable computer, a personal data assistant, a multimedia device or a combination thereof, andthe incoming and outgoing packet(s) comprise one or more data packets, voice packets, multimedia packets, signaling packets or a combination thereof.
  - 21. The apparatus as recited in claim 19, wherein the session security parameter(s) and packet security parameters are used to detect a malformed message, a rogue media anomaly, a rogue signaling anomaly, a flood attack, a protocol anomaly, an ARP poison anomaly, a configuration change anomaly, a DNS hijack anomaly, a spam attack, a man-in-the-middle attack, a spoofing attack or a combination thereof.

22. A system comprising:
- a network server;
  
  an IP-based end user device communicably connected to the network server via a network and having one or more security modules that;
  
  (a) monitor an application layer, a TCP/IP layer and a datalink layer;
  
  (b) whenever an incoming session is detected, determine whether the incoming session satisfies one or more session security parameters, accept the incoming session whenever the session security parameter(s) are satisfied, and deny the incoming session whenever the session security parameter(s) are not satisfied; and
  
  (c) whenever an incoming packet is detected, determine whether the incoming packet satisfies one or more packet security parameters, process the incoming packet whenever the packet security parameter(s) are satisfied, and drop the incoming packet whenever the packet security parameter(s) are not satisfied; and
  
  one or more Internet Protocol Communication Security Devices (IPCS) in a path from the IP-based end user device to the network server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Sipera Systems Inc (Avaya Incorporated)
Inventors
Herle, Sudhindra Pundaleeka, Kurapati, Srikrishna

Application Number

US12/189,151
Publication Number

US 20090094671A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/1458   Denial of Service

H04L 65/1079   of unsolicited session atte...

System, Method and Apparatus for Providing Security in an IP-Based End User Device

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method and Apparatus for Providing Security in an IP-Based End User Device

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links