MECHANISM FOR IDENTIFYING MALICIOUS CONTENT, DoS ATTACKS, AND ILLEGAL IPTV SERVICES

US 20100071062A1
Filed: 09/18/2008
Published: 03/18/2010
Est. Priority Date: 09/18/2008
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory that stores a plurality of parameter characteristics; and

a processing module that monitors a first plurality of control messages sent from a first device to a second device that broadcasts a plurality of Internet protocol television (IPTV) streams via a network; and

wherein;

when at least one of the first plurality of control messages includes characteristics corresponding to at least one of the plurality of parameter characteristics, the processing module performs at least one of;

blocks any future control message sent from the first device;

blocks the plurality IPTV streams from being broadcast to the first device; and

monitors a second plurality of control messages sent from the first device to the second device; and

when the processing module monitors the second plurality of control messages sent from the second device to the first device and when at least one of the second plurality of control messages includes characteristics corresponding to at least one additional of the plurality of parameter characteristics, the processing module blocks any future control message sent from the first device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services. By monitoring the characteristics of various control messages being transmitted within a network that services Internet protocol television (IPTV) content to identify suspicious behavior (e.g., such as that associated with malicious content, denial of service (DoS) attacks, IPTV service stealing, etc.). In addition to monitoring control messages within such a network, deep packet inspection (DPI) may be performed for individual packets within an IPTV stream to identify malicious content therein (e.g., worms, viruses, etc. actually within the IPTV stream itself). By monitoring control messages and/or actual IPTV content within a network (e.g., vs. at the perimeter of a network only), protection against both outside and inside attacks can be effectuated. This network level basis of operation effectively guards against promulgation of malicious content to other devices within the network.

66 Citations

View as Search Results

20 Claims

1. An apparatus, comprising:
- a memory that stores a plurality of parameter characteristics; and
  
  a processing module that monitors a first plurality of control messages sent from a first device to a second device that broadcasts a plurality of Internet protocol television (IPTV) streams via a network; and
  
  wherein;
  
  when at least one of the first plurality of control messages includes characteristics corresponding to at least one of the plurality of parameter characteristics, the processing module performs at least one of;
  
  blocks any future control message sent from the first device;
  
  blocks the plurality IPTV streams from being broadcast to the first device; and
  
  monitors a second plurality of control messages sent from the first device to the second device; and
  
  when the processing module monitors the second plurality of control messages sent from the second device to the first device and when at least one of the second plurality of control messages includes characteristics corresponding to at least one additional of the plurality of parameter characteristics, the processing module blocks any future control message sent from the first device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein:
    - the plurality of control message includes at least one of an Internet Group Message Protocol (IGMP) message and a Customer premise Management System (CMS) message.
  - 3. The apparatus of claim 1, wherein:
    - the at least one of the plurality of parameter characteristics is the at least one additional of the plurality of parameter characteristics.
  - 4. The apparatus of claim 1, wherein:
    - the at least one of the plurality of parameter characteristics includes indicia corresponding to virus, worm, or malware infection.
  - 5. The apparatus of claim 1, wherein:
    - the processing module performs deep packet inspection (DPI) of at least one packet within at least one of the plurality of IPTV streams; and
      
      when the processing module detects an anomaly within the at least one packet, the processing module blocks the at least one of the plurality of IPTV streams from being broadcast via the network by the second device.
  - 6. The apparatus of claim 1, wherein:
    - the anomaly indicates that the at least one packet is virus, worm, or malware infected.
  - 7. The apparatus of claim 1, wherein:
    - the processing module performs deep packet inspection (DPI) of at least one packet within at least one of the plurality of IPTV streams; and
      
      when the processing module detects an anomaly within the at least one packet, the processing module removes the at least one packet from the at least one of the plurality of IPTV streams.
  - 8. The apparatus of claim 1, wherein:
    - each control message of the first plurality of control messages has a corresponding type, a corresponding service, a corresponding sending device, and a corresponding receiving device associated therewith;
      
      a first multicast group includes control messages having at least one of a first type, a first service, and a first receiving device associated therewith;
      
      a second multicast group includes control messages having at least one of a second type, a second service, and a second receiving device associated therewith;
      
      control messages of the first multicast group are received by the apparatus; and
      
      control messages of the second multicast group are received by at least one additional apparatus.
  - 9. The apparatus of claim 1, wherein:
    - the processing module updates the plurality of parameter characteristics based on the first plurality of control messages thereby generating an updated plurality of parameter characteristics; and
      
      when the processing module monitors the second plurality of control messages sent from the second device to the first device and when at least one of the second plurality of control messages includes characteristics corresponding to at least one of the updated plurality of parameter characteristics, the processing module isolates the first device from the network.
  - 10. The apparatus of claim 1, wherein one of the plurality of parameter characteristics is:
    - a number of control messages sent per unit of time;
      
      a deviation of the number of control messages sent per unit of time from an expected number of control messages sent per unit of time;
      
      a re-booting process of the first device;
      
      an expected value of a selected bit within a control message;
      
      a switch through which a control message passes between the first device and the second device; and
      
      a history of IPTV streams received or selected by the first device.

11. An apparatus, comprising:
- a memory that stores a plurality of parameter characteristics; and
  
  a processing module that;
  
  monitors a first plurality of control messages sent from a first device to a second device that broadcasts a plurality of Internet protocol television (IPTV) streams via a network; and
  
  performs deep packet inspection (DPI) of at least one packet within at least one of the plurality of IPTV streams; and
  
  wherein;
  
  when at least one of the first plurality of control messages includes characteristics corresponding to at least one of the plurality of parameter characteristics, the processing module performs at least one of;
  
  isolates the first device from the network;
  
  blocks the plurality IPTV streams from being broadcast to the first device; and
  
  monitors a second plurality of control messages sent from the first device to the second device;
  
  when the processing module monitors the second plurality of control messages sent from the second device to the first device and when at least one of the second plurality of control messages includes characteristics corresponding to at least one additional of the plurality of parameter characteristics, the processing module isolates the first device from the network; and
  
  when the processing module detects an anomaly within the at least one packet in accordance with the DPI, the processing module either;
  
  removes the at least one packet from the at least one of the plurality of IPTV streams;
  
  orblocks the at least one of the plurality of IPTV streams from being broadcast via the network by the second device.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein:
    - the plurality of control message includes at least one of an Internet Group Message Protocol (IGMP) message and a Customer premise Management System (CMS) message.
  - 13. The apparatus of claim 11, wherein:
    - the at least one of the plurality of parameter characteristics includes indicia corresponding to virus, worm, or malware infection.
  - 14. The apparatus of claim 11, wherein:
    - the anomaly indicates that the at least one packet is virus, worm, or malware infected.
  - 15. The apparatus of claim 11, wherein:
    - each control message of the first plurality of control messages has a corresponding type, a corresponding service, a corresponding sending device, and a corresponding receiving device associated therewith;
      
      a first multicast group includes control messages having at least one of a first type, a first service, and a first receiving device associated therewith;
      
      a second multicast group includes control messages having at least one of a second type, a second service, and a second receiving device associated therewith;
      
      control messages of the first multicast group are received by the apparatus; and
      
      control messages of the second multicast group are received by at least one additional apparatus.
  - 16. The apparatus of claim 11, wherein one of the plurality of parameter characteristics is:
    - a number of control messages sent per unit of time;
      
      a deviation of the number of control messages sent per unit of time from an expected number of control messages sent per unit of time;
      
      a re-booting process of the first device;
      
      an expected value of a selected bit within a control message;
      
      a switch through which a control message passes between the first device and the second device; and
      
      a history of IPTV streams received or selected by the first device.

17. A method, comprising:
- monitoring a first plurality of control messages sent from a first device to a second device that broadcasts a plurality of Internet protocol television (IPTV) streams via a network;
  
  when at least one of the first plurality of control messages includes characteristics corresponding to at least one of a plurality of parameter characteristics, performing at least one of;
  
  blocking any future control message sent from the first device;
  
  blocking the plurality IPTV streams from being broadcast to the first device; and
  
  monitoring a second plurality of control messages sent from the first device to the second device; and
  
  when monitoring the second plurality of control messages sent from the second device to the first device and when at least one of the second plurality of control messages includes characteristics corresponding to at least one additional of the plurality of parameter characteristics, isolating the first device from the network.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - performing deep packet inspection (DPI) of at least one packet within at least one of the plurality of IPTV streams; and
      
      when an anomaly is detected within the at least one packet in accordance with the DPI, blocking the at least one of the plurality of IPTV streams from being broadcast via the network by the second device.
  - 19. The method of claim 17, wherein:
    - each control message of the first plurality of control messages has a corresponding type, a corresponding service, a corresponding sending device, and a corresponding receiving device associated therewith;
      
      a first multicast group includes control messages having at least one of a first type, a first service, and a first receiving device associated therewith;
      
      a second multicast group includes control messages having at least one of a second type, a second service, and a second receiving device associated therewith; and
      
      further comprising;
      
      providing control messages of the first multicast group to a first security appliance that is coupled to the network; and
      
      providing control messages of the second multicast group to a second security appliance that is coupled to the network.
  - 20. The method of claim 17, wherein one of the plurality of parameter characteristics is:
    - a number of control messages sent per unit of time;
      
      a deviation of the number of control messages sent per unit of time from an expected number of control messages sent per unit of time;
      
      a re-booting process of the first device;
      
      an expected value of a selected bit within a control message;
      
      a switch through which a control message passes between the first device and the second device; and
      
      a history of IPTV streams received or selected by the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
GUINGO, PIERRICK, KHAN, FAUD A., CHOYI, VINOD K.

Granted Patent

US 8,769,682 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 41/0213   Standardised network manage...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 65/611   for multicast or broadcast ...

H04N 21/6405   Multicasting data broadcast...

H04N 21/64322   IP

H04N 21/64723   Monitoring of network proce...

MECHANISM FOR IDENTIFYING MALICIOUS CONTENT, DoS ATTACKS, AND ILLEGAL IPTV SERVICES

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MECHANISM FOR IDENTIFYING MALICIOUS CONTENT, DoS ATTACKS, AND ILLEGAL IPTV SERVICES

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links