Multi-Node and Multi-Call State Machine Profiling for Detecting SPIT

US 20090274144A1
Filed: 05/05/2008
Published: 11/05/2009
Est. Priority Date: 09/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining whether the execution of an instance of a first finite-state machine and an instance of a second finite-state machine during a call matches one or more execution profiles that are associated with improper call behavior, wherein said instance of said finite-state machine corresponds to the state of a communications protocol at a first node, and wherein said instance of said second finite-state machine corresponds to the state of a communications protocol at a second node, and wherein at least one of said execution profiles characterizes the execution of a plurality of finite-state machines during a call; and

when a match exists, generating a signal that indicates a possible occurrence of improper call behavior.

View all claims

25 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for detecting potentially-improper call behavior (e.g., SPIT, etc.) are disclosed. The illustrative embodiment of the present invention is based on finite-state machines (FSMs) that represent the legal states and state transitions of communications protocols at nodes during Voice over Internet Protocol (VoIP) calls. In accordance with the illustrative embodiment, a library of FSM execution profiles associated with improper call behavior and a set of rules (or rule base) associated with improper FSM behavior over one or more calls are maintained. When the behavior of one or more finite-state machines during one or more calls matches either an execution profile in the library or a rule in the rule base, an alert is generated.

57 Citations

View as Search Results

20 Claims

1. A method comprising:
- determining whether the execution of an instance of a first finite-state machine and an instance of a second finite-state machine during a call matches one or more execution profiles that are associated with improper call behavior, wherein said instance of said finite-state machine corresponds to the state of a communications protocol at a first node, and wherein said instance of said second finite-state machine corresponds to the state of a communications protocol at a second node, and wherein at least one of said execution profiles characterizes the execution of a plurality of finite-state machines during a call; and
  
  when a match exists, generating a signal that indicates a possible occurrence of improper call behavior.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein said improper call behavior is engendered by a third node.
  - 3. The method of claim 1 wherein at least one of said execution profiles comprises a sequence of visited states of a finite-state machine.
  - 4. The method of claim 1 wherein at least one of said execution profiles comprises a metric that is based on how often one or more particular states of a finite-state machine are visited.
  - 5. The method of claim 1 wherein at least one of said execution profiles comprises a metric that is based on how long a finite-state machine spends in one or more particular states.

6. A method comprising:
- determining whether the execution of an instance of a first finite-state machine and of an instance of a second finite-state machine during a call matches one or more rules that are associated with improper call behavior, wherein said instance of said first finite-state machine corresponds to the state of a communications protocol at a first node, and wherein said instance of said second finite-state machine corresponds to the state of a communications protocol at a second node, and wherein at least one of said rules comprises a condition pertaining to the execution of a plurality of finite-state machines during a call; and
  
  when a match exists, generating a signal that indicates a possible occurrence of improper call behavior.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6 wherein said improper call behavior is engendered by a third node.
  - 8. The method of claim 6 wherein said first finite-state machine corresponds to the state of a communications protocol at a calling terminal, and wherein said second finite-state machine corresponds to the state of said communications protocol at a called terminal.
  - 9. The method of claim 6 wherein said condition specifies a relationship between how often said first finite-state machine visits a first non-empty set of states and how often said second finite-state machine visits a second non-empty set of states.
  - 10. The method of claim 6 wherein said condition specifies a relationship between how long said first finite-state machine spends in a first non-empty set of states and how long said second finite-state machine spends in a second non-empty set of states.

11. A method comprising:
- determining whether the execution of an instance of a finite-state machine during a first call and during a second call matches one or more rules that are associated with improper call behavior, wherein said instance of said finite-state machine state corresponds to the state of a communications protocol at a node, and wherein at least one of said rules comprises a condition pertaining to the execution of a finite-state machine during a plurality of calls; and
  
  when a match exists, generating a signal that indicates a possible occurrence of improper call behavior.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 wherein said condition specifies that the execution of a finite-state machine during a first call is similar to the execution of said finite-state machine during a second call.
  - 13. The method of claim 11 wherein said condition specifies that the execution of a finite-state machine during a first call is different than the execution of said finite-state machine during a second call.
  - 14. The method of claim 11 wherein said condition specifies that the execution of a finite-state machine during a first call matches a first execution profile, and that the execution of said finite-state machine during a second call matches a second execution profile.
  - 15. The method of claim 11 wherein said condition specifies that the execution of a finite-state machine during a first call and during a second call both match a particular execution profile.

16. A method comprising:
- determining whether the execution of an instance of a first finite-state machine and of an instance of a second finite-state machine during a first call and during a second call matches one or more rules that are associated with improper call behavior, wherein said instance of said first finite-state machine corresponds to the state of a communications protocol at a first node, and wherein said instance of said second finite-state machine corresponds to the state of a communications protocol at a second node, and wherein at least one of said rules comprises a condition pertaining to the execution of a plurality of finite-state machines during a plurality of calls; and
  
  when a match exists, generating a signal that indicates a possible occurrence of improper call behavior.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 wherein said condition specifies that the execution of a plurality of finite-state machines during a first call is similar to the execution of said plurality of finite-state machines during a second call.
  - 18. The method of claim 16 wherein said condition specifies that the execution of a plurality of finite-state machines during a first call is different than the execution of said plurality of finite-state machines during a second call.
  - 19. The method of claim 16 wherein said condition specifies that the execution of a plurality of finite-state machines during a first call matches a first execution profile, and that the execution of said plurality of finite-state machines during a second call matches a second execution profile.
  - 20. The method of claim 16 wherein said condition specifies that the execution of a plurality of finite-state machines during a first call and during a second call both match a particular execution profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arlington Technologies, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
Avaya Incorporated
Inventors
Singh, Navjot, Adhikari, Akshay, Garg, Sachin, Wu, Yu-Sung

Granted Patent

US 9,100,417 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/352
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 65/1079   of unsolicited session atte...

H04L 65/1104   Session initiation protocol...

H04M 7/006   Networks other than PSTN/IS...

H04M 7/0078   Security; Fraud detection; ...

Multi-Node and Multi-Call State Machine Profiling for Detecting SPIT

First Claim

25 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-Node and Multi-Call State Machine Profiling for Detecting SPIT

First Claim

25 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links