System and method for exposing malicious sources using mobile IP messages

US 20100071051A1
Filed: 09/18/2008
Published: 03/18/2010
Est. Priority Date: 09/18/2008
Status: Active Grant

First Claim

Patent Images

1. A collaborating network device within a network, comprising:

a network interface operable to transmit and receive bait traffic to and from a collaborating mobile client having a fixed connection to the network, the bait traffic including mobile Internet Protocol (IP) messages, the network interface being further operable to receive an IP packet from a source other than the collaborating mobile client; and

a processor coupled to receive the IP packet and operable to determine whether the IP packet is a malicious packet, and if so, to identify the source as a malicious source.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious sources within networks are identified using bait traffic, including mobile IP messages, transmitted between a collaborating network device and a collaborating mobile client that has a fixed connection to the network. The bait traffic entices a malicious source to transmit malicious packets towards the collaborating mobile client and/or the network device. Upon receiving a malicious packet, the collaborating mobile client or the network device is able to identify the source of the packet as a malicious source and report the presence of the malicious source within the network.

Citations

20 Claims

1. A collaborating network device within a network, comprising:
- a network interface operable to transmit and receive bait traffic to and from a collaborating mobile client having a fixed connection to the network, the bait traffic including mobile Internet Protocol (IP) messages, the network interface being further operable to receive an IP packet from a source other than the collaborating mobile client; and
  
  a processor coupled to receive the IP packet and operable to determine whether the IP packet is a malicious packet, and if so, to identify the source as a malicious source.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The network device of claim 1, wherein the collaborating mobile client is associated with a home network, the network is a visiting network and the network device is a foreign agent within the visiting network, and wherein the source is an infected host within the visiting network.
  - 3. The network device of claim 1, wherein the network is a home network of the collaborating mobile client and the network device is a home agent of the collaborating mobile client, and wherein the source is an infected host within the home network.
  - 4. The network device of claim 1, wherein the network is a home network of the collaborating mobile client, the collaborating mobile client is located in a visiting network and the network device is a home agent of the collaborating mobile client within the home network, and wherein the source is a malicious client that is fixed or mobile within a core network coupled between the home network and the visiting network.
  - 5. The network device of claim 1, wherein the malicious packet is a scan packet or attack packet.
  - 6. The network device of claim 1, wherein the network device is a layer 3 switch, router or server.
  - 7. The network device of claim 1, wherein the Mobile IP messages include at least one of a Mobile IP Agent Solicitation message originated by the collaborating mobile client a Mobile IP Agent Advertisement message originated by the network device and a Mobile IP Registration message originated by the collaborating mobile client or the network device.
  - 8. The network device of claim 1, further comprising:
    - a memory maintaining a policy table that indicates types of bait packets transmitted between the network device and the collaborating mobile client.
  - 9. The network device of claim 1, wherein the policy table further includes a schedule specifying a frequency or time for transmitting the bait packets between the network device and the collaborating mobile client.
  - 10. The network device of claim 1, wherein the network interface reserves a plurality of unused addresses and bait addresses and provides at least one of the bait addresses to the collaborating mobile client to facilitate transmission of the Mobile IP messages to and from the collaborating mobile client and to enable the malicious source to send the malicious packet to the network device.
  - 11. The network device of claim 1, wherein the IP packet has a spoofed source address identifying the collaborating mobile client, the processor being operable to identify the IP packet as a malicious packet based on a message type or header values within the IP packet.
  - 12. The network device of claim 1, wherein the network interface further provides a connection to a network administrator within the network, the processor being operable to notify the network administrator of the presence of the malicious source in the network via the network interface.

13. A network for identifying a malicious source, comprising:
- a collaborating mobile client having a fixed connection to the network and coupled to transmit and receive bait traffic through the network, the bait traffic including mobile Internet Protocol (IP) messages; and
  
  a collaborating network device coupled to transmit and receive the bait traffic to and from the collaborating mobile client;
  
  wherein at least one of the collaborating mobile client and the collaborating network device is coupled to receive an IP packet from a source other than the collaborating mobile client or the collaborating network device and operable to determine whether the IP packet is a malicious packet, and if so, to identify the source as a malicious source.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The network of claim 13, wherein the collaborating mobile client is associated with a home network, the network device is a foreign agent within the visiting network and the collaborating mobile client has a fixed connection to the visiting network, and wherein the source is an infected host within the visiting network.
  - 15. The network of claim 13, wherein the network is a home network of the collaborating mobile client and the network device is a home agent of the collaborating mobile client, and wherein the source is an infected host within the home network.
  - 16. The network of claim 13, wherein the collaborating mobile client is associated with a home network, the collaborating mobile client is located in a visiting network and the network device is a home agent of the collaborating mobile client within the home network, and wherein the source is a malicious client that is fixed or mobile within a core network coupled between the home network and the visiting network.
  - 17. The network of claim 13, further comprising:
    - a network administrator coupled to receive a notification message from one of the collaborating mobile client and the collaborating network device of the presence of the malicious source.
  - 18. The network of claim 13, wherein the network device is a layer 3 switch, router or server.
  - 19. The network of claim 13, wherein at least one of the collaborating mobile client and the collaborating network device maintains a policy table that indicates types of bait packets transmitted between the network device and the collaborating mobile client and a schedule specifying a frequency or time for transmitting the bait packets between the network device and the collaborating mobile client.

20. A method for identifying malicious sources within a network, comprising:
- transmitting bait traffic between a collaborating mobile client having a fixed connection to the network and a collaborating network device, the bait traffic including mobile Internet Protocol (IP) messages;
  
  receiving an IP packet at the collaborating mobile client or the collaborating network device from a source other than the collaborating mobile client or the collaborating network device;
  
  determining whether the IP packet is a malicious packet;
  
  if so, identifying the source as a malicious source; and
  
  reporting the presence of the malicious source in the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
ABDEL-AZIZ, BASSEM, CHOYI, VINOD

Granted Patent

US 8,650,630 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04W 12/128   Anti-malware arrangements, ...

H04W 8/06   Registration at serving net...

H04W 80/04   Network layer protocols, e....

System and method for exposing malicious sources using mobile IP messages

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for exposing malicious sources using mobile IP messages

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links