Filtering unwanted data traffic via a per-customer blacklist

US 20100082811A1
Filed: 09/29/2008
Published: 04/01/2010
Est. Priority Date: 09/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method for generating a customer blacklist associated with a customer system, comprising the steps of:

generating a network blacklist comprising a first plurality of Internet Protocol (IP) addresses, said first plurality of IP addresses identifying a first plurality of unwanted traffic sources;

generating a customer whitelist comprising a second plurality of IP addresses, said second plurality of IP addresses identifying a plurality of wanted traffic sources;

comparing each IP address in said first plurality of IP addresses with each IP address in said second plurality of IP addresses; and

for each IP address in said first plurality of IP addresses;

adding the IP address to the customer blacklist if the IP address is not in said second plurality of IP addresses; and

not adding the IP address to the customer blacklist if the IP address is in the second plurality of IP addresses.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Traffic flow from a traffic source with a source IP address to a customer system with a destination IP address is filtered by comparing the source IP address to a customer blacklist. If the source IP address is on the customer blacklist, then traffic to the customer system is blocked; else, traffic to the customer system is allowed. The customer blacklist is generated from a network blacklist, comprising IP addresses of unwanted traffic sources, and a customer whitelist, comprising IP addresses of wanted traffic sources. The customer blacklist is generated by removing from the network blacklist any IP address also on the customer whitelist. The network blacklist is generated by acquiring raw blacklists from reputation systems. IP addresses on the raw blacklists are sorted by prefix groups, which are rank ordered by traffic frequency. Top prefix groups are selected for the network blacklist.

164 Citations

24 Claims

1. A method for generating a customer blacklist associated with a customer system, comprising the steps of:
- generating a network blacklist comprising a first plurality of Internet Protocol (IP) addresses, said first plurality of IP addresses identifying a first plurality of unwanted traffic sources;
  
  generating a customer whitelist comprising a second plurality of IP addresses, said second plurality of IP addresses identifying a plurality of wanted traffic sources;
  
  comparing each IP address in said first plurality of IP addresses with each IP address in said second plurality of IP addresses; and
  
  for each IP address in said first plurality of IP addresses;
  
  adding the IP address to the customer blacklist if the IP address is not in said second plurality of IP addresses; and
  
  not adding the IP address to the customer blacklist if the IP address is in the second plurality of IP addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising the steps of:
    - monitoring a traffic flow from a traffic source identified by a source IP address to said customer system, wherein said customer system is identified by a destination IP address;
      
      comparing the source IP address with said customer blacklist;
      
      blocking the traffic flow if the source IP address is on said customer blacklist; and
      
      allowing the traffic flow if the source IP address is not on said customer blacklist.
  - 3. The method of claim 2, wherein the step of blocking the traffic flow further comprises the step of:
    - blocking the traffic flow at a node.
  - 4. The method of claim 1, wherein the step of generating a network blacklist further comprises the steps of:
    - acquiring at least one raw blacklist comprising a third plurality of IP addresses identifying a third plurality of unwanted traffic sources;
      
      sorting the third plurality of IP addresses according to prefix groups with a network-specified prefix length;
      
      rank ordering the prefix groups according to traffic frequency; and
      
      selecting the top network-specified prefix groups.
  - 5. The method of claim 4, wherein the step of acquiring at least one raw blacklist further comprises the step of:
    - accessing at least one reputation system.
  - 6. The method of claim 4, wherein the step of generating a network blacklist further comprises the step of:
    - populating a filter table with the top network-specified prefix groups.
  - 7. The method of claim 1, wherein the step of generating a customer whitelist further comprises the step of:
    - analyzing a customer historical usage pattern.
  - 8. The method of claim 1, wherein the step of generating a network blacklist further comprises the steps of:
    - acquiring at least one raw blacklist comprising a third plurality of IP addresses identifying a third plurality of unwanted traffic sources;
      
      sorting the third plurality of IP addresses according to prefix groups with a network-specified prefix length;
      
      analyzing traffic patterns within each prefix group;
      
      generating prefix subgroups based at least in part on said prefix groups and said analyzed traffic patterns;
      
      rank ordering the prefix subgroups according to traffic frequency; and
      
      selecting the top network-specified prefix subgroups.

9. An apparatus for generating a customer blacklist associated with a customer system, comprising:
- means for generating a network blacklist comprising a first plurality of Internet Protocol (IP) addresses, said first plurality of IP addresses identifying a first plurality of unwanted traffic sources;
  
  means for generating a customer whitelist comprising a second plurality of IP addresses, said second plurality of IP addresses identifying a plurality of wanted traffic sources;
  
  means for comparing each IP address in said first plurality of IP addresses with each IP address in said second plurality of IP addresses; and
  
  for each IP address in said first plurality of IP addresses;
  
  means for adding the IP address to the customer blacklist if the IP address is not in said second plurality of IP addresses; and
  
  means for not adding the IP address to the customer blacklist if the IP address is in the second plurality of IP addresses.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, further comprising:
    - means for monitoring a traffic flow from a traffic source identified by a source IP address to said customer system, wherein said customer system is identified by a destination IP address;
      
      means for comparing the source IP address with said customer blacklist;
      
      means for blocking the traffic flow if the source IP address is on said customer blacklist; and
      
      means for allowing the traffic flow if the source IP address is not on said customer blacklist.
  - 11. The apparatus of claim 10, wherein the means for blocking the traffic flow further comprises:
    - means for blocking the traffic flow at a node.
  - 12. The apparatus of claim 9, wherein the means for generating a network blacklist further comprises:
    - means for acquiring at least one raw blacklist comprising a third plurality of IP addresses identifying a third plurality of unwanted traffic sources;
      
      means for sorting the third plurality of IP addresses according to prefix groups with a network-specified prefix length;
      
      means for rank ordering the prefix groups according to traffic frequency; and
      
      means for selecting the top network-specified prefix groups.
  - 13. The apparatus of claim 12, wherein the means for acquiring at least one raw blacklist further comprises:
    - means for accessing at least one reputation system.
  - 14. The apparatus of claim 12, wherein the means for generating a network blacklist further comprises:
    - means for populating a filter table with the top network-specified prefix groups.
  - 15. The apparatus of claim 9, wherein the means for generating a customer whitelist further comprises:
    - means for analyzing a customer historical usage pattern.
  - 16. The apparatus of claim 9, wherein the means for generating a network blacklist further comprises:
    - means for acquiring at least one raw blacklist comprising a third plurality of IP addresses identifying a third plurality of unwanted traffic sources;
      
      means for sorting the third plurality of IP addresses according to prefix groups with a network-specified prefix length;
      
      means for analyzing traffic patterns within each prefix group;
      
      means for generating prefix subgroups based at least in part on said prefix groups and said analyzed traffic patterns;
      
      means for rank ordering the prefix subgroups according to traffic frequency; and
      
      means for selecting the top network-specified prefix subgroups.

17. A computer readable medium storing computer program instructions for generating a customer blacklist associated with a customer system, said computer instructions defining the steps of:
- generating a network blacklist comprising a first plurality of IP addresses, said first plurality of IP addresses identifying a first plurality of unwanted traffic sources;
  
  generating a customer whitelist comprising a second plurality of IP addresses, said second plurality of IP addresses identifying a plurality of wanted traffic sources;
  
  comparing each IP address in said first plurality of IP addresses with each IP address in said second plurality of IP addresses; and
  
  for each IP address in said first plurality of IP addresses;
  
  adding the IP address to the customer blacklist if the IP address is not in said second plurality of IP addresses; and
  
  not adding the IP address to the customer blacklist if the IP address is in the second plurality of IP addresses.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer readable medium of claim 17, wherein the computer instructions for generating a customer blacklist further comprise computer program instructions defining the steps of:
    - monitoring a traffic flow from a traffic source identified by a source Internet Protocol (IP) address to said customer system, wherein said customer system is identified by a destination IP address;
      
      comparing the source IP address with said customer blacklist;
      
      blocking the traffic flow if the source IP address is on said customer blacklist; and
      
      allowing the traffic flow if the source IP address is not on said customer blacklist.
  - 19. The computer readable medium of claim 18, wherein said computer program instructions defining the step of blocking the traffic flow further comprise computer program instructions defining the step of:
    - blocking the traffic flow at a node.
  - 20. The computer readable medium of claim 17, wherein said computer program instructions defining the step of generating a network blacklist further comprise computer program instructions defining the steps of:
    - acquiring at least one raw blacklist comprising a third plurality of IP addresses identifying a third plurality of unwanted traffic sources;
      
      sorting the third plurality of IP addresses according to prefix groups with a network-specified prefix length;
      
      rank ordering the prefix groups according to traffic frequency; and
      
      selecting the top network-specified prefix groups.
  - 21. The computer readable medium of claim 20, wherein said computer program instructions defining the step of acquiring at least one raw blacklist further comprise computer program instructions defining the step of:
    - accessing at least one reputation system.
  - 22. The computer readable medium of claim 20, wherein said computer program instructions defining the step of generating a network blacklist further comprise computer program instructions defining the step of:
    - populating a filter table with the top network-specified prefix groups.
  - 23. The computer readable medium of claim 17, wherein said computer program instructions defining the step of generating a customer whitelist further comprise computer program instructions defining the step of:
    - analyzing a customer historical usage pattern.
  - 24. The computer readable medium of claim 17, wherein said computer program instructions defining the step of generating a network blacklist further comprise computer program instructions defining the steps of:
    - acquiring at least one raw blacklist comprising a third plurality of IP addresses identifying a third plurality of unwanted traffic sources;
      
      sorting the third plurality of IP addresses according to prefix groups with a network-specified prefix length;
      
      analyzing traffic patterns within each prefix group;
      
      generating prefix subgroups based at least in part on said prefix groups and said analyzed traffic patterns;
      
      rank ordering the prefix subgroups according to traffic frequency; and
      
      selecting the top network-specified prefix subgroups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
El Defrawy, Karim, Van Der Merwe, Jacobus Erasmus, Krishnamurthy, Balachander

Granted Patent

US 8,161,155 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

G06F 16/9535 Search customisation based ...

Filtering unwanted data traffic via a per-customer blacklist

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

164 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering unwanted data traffic via a per-customer blacklist

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links