REAL-TIME NETWORK ATTACK DETECTION AND MITIGATION INFRASTRUCTURE

US 20120090028A1
Filed: 10/12/2011
Published: 04/12/2012
Est. Priority Date: 10/12/2010
Status: Active Grant

First Claim

Patent Images

1. A method of detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network, comprising:

receiving, by a server, information related to a mitigation action for a call, the mitigation action being generated by an analyzer based on detecting a possible attack by the call, the information including a complexity level for administering an audio challenge-response test to the call;

generating, by the server, a script including variables for identifying a plurality of altered sound files for the audio challenge-response test;

assigning, by the server, a routing label to the call, the routing label including one or more parameters for configuring the variables of the script according to the complexity level; and

transmitting, by the server, the script and the routing label to the guardian module;

defining, by the guardian module, the variables of the script to identify the plurality of altered sound files for the audio challenge-response test, wherein each altered sound file is randomly selected by the guardian module subject to the parameters of the routing label; and

administering, by the guardian module, the audio challenge-response test to the call based on the script.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention features systems and methods for detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network. A server is configured to receive information related to a mitigation action for a call. The information can include a complexity level for administering an audio challenge-response test to the call and an identification of the call. The server also generates i) a routing label based on the identification of the call, and ii) a script defining a plurality of variables that store identifications of a plurality of altered sound files for the audio challenge-response test. Each altered sound file is randomly selected by the server subject to one or more constraints associated with the complexity level. The server is further configured to transmit the script to a guardian module and the routing label to a gateway.

80 Citations

View as Search Results

25 Claims

1. A method of detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network, comprising:
- receiving, by a server, information related to a mitigation action for a call, the mitigation action being generated by an analyzer based on detecting a possible attack by the call, the information including a complexity level for administering an audio challenge-response test to the call;
  
  generating, by the server, a script including variables for identifying a plurality of altered sound files for the audio challenge-response test;
  
  assigning, by the server, a routing label to the call, the routing label including one or more parameters for configuring the variables of the script according to the complexity level; and
  
  transmitting, by the server, the script and the routing label to the guardian module;
  
  defining, by the guardian module, the variables of the script to identify the plurality of altered sound files for the audio challenge-response test, wherein each altered sound file is randomly selected by the guardian module subject to the parameters of the routing label; and
  
  administering, by the guardian module, the audio challenge-response test to the call based on the script.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein administering the audio challenge-response test further comprises:
    - retrieving, by the guardian module, the altered sound files from a storage area during runtime of the test based on the variables defined by the guardian module; and
      
      playing, by the guardian module, the altered sound files in a sequence defined by the variables.
  - 3. The method of claim 1 wherein the altered sound files include one or more altered digit files and one or more inter-digit noise files, each altered digit file comprising a combination of clear voice sound of a digit and an amount of background noise added according to a signal-to-noise ratio of the complexity level, and each inter-digit noise file providing a variable spacing in the form of noise between the altered digit files.
  - 4. The method of claim 1 wherein the one or more parameters of the routing label includes a minimum number of digits in the audio challenge-response test for the complexity level, a maximum number of digits in the audio challenge-response test for the complexity level, a signal-to-noise ratio for the complexity level, a minimum inter-digit delay for the complexity level and a maximum inter-digit delay for the complexity level.
  - 5. The method of claim 1 further comprising a gateway for returning the call to its regular path if the call passes the audio challenge-response test.
  - 6. The method of claim 5 wherein the gateway is further adapted to execute a final treatment if the call fails the audio challenge-response test, the final treatment comprising at least one of terminating the call, recording the call, diverting the call to an operator, replaying the audio challenge-response test, or providing a second audio challenge-response test.
  - 7. The method of claim 1 further comprising:
    - generating, by the analyzer, the altered sound files from a library of original sound files comprising unaltered sounds;
      
      generating, by the analyzer, a mapping of the identifications of the altered sound files to their respective complexity levels; and
      
      uploading, by the analyzer, the altered sound files and the mapping to at least one of the guardian module and the server.
  - 8. The method of claim 1 wherein the script includes additional variables customizable by the guardian module for the audio challenge-response test, the additional variables including:
    - a variable storing an identification of a greeting message to be played before the audio challenge-response test, a variable defining a number of times for replaying the audio challenge-response test, a variable defining a number of times a caller of the call is allowed to skip the audio challenge-response test and advance to a new audio challenge-response test, and a variable for specifying a final treatment if the caller fails the audio challenge-response test.

9. A method of generating an altered sound file for a digit that corresponds to a number or a letter, the method comprising:
- receiving a complexity level and an input audio file comprising original clear voice sound of the digit;
  
  converting data in the input audio file into normalized digit data;
  
  generating normalized background noise using a noise generation algorithm;
  
  adding the normalized background noise to the normalized digit data to generate combined data, the amount of background noise added being based on the complexity level; and
  
  de-normalizing the combined data to produce the altered sound file for the digit.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9 wherein the normalized digit data comprises normalized linear pulse-code modulation data.
  - 11. The method of claim 9 wherein the noise generation algorithm produces at least one of additive white Gaussian noise or pre-recorded background noise.
  - 12. The method of claim 9 wherein the amount of background noise added is based on a signal-to-noise ratio defined for the complexity level.
  - 13. The method of claim 9 further comprising adding one or more random bits of silence to the combined data.

14. A method of generating an inter-digit noise file, the method comprising:
- generating normalized background noise using a noise generation algorithm;
  
  adding one or more random bits of silence to the normalized background noise;
  
  adding one or more random bits of amplitude variation to the normalized background noise; and
  
  de-normalizing the normalized background noise to produce the inter-digit noise file.

15. A method of detecting and mitigating network attacks in a VoIP network, comprising:
- maintaining, by a detection module, a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls;
  
  maintaining, by the detection module, a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;
  
  updating, by the detection module, an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call;
  
  comparing, by the detection module, the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles;
  
  determining, by the detection module, if an anomaly exists based on the comparing using multivariate analysis; and
  
  generating, by the detection module, an alarm corresponding to the incoming call indicative of the network attack if the anomaly is detected.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15 further comprising forwarding, by the detection module, the alarm to a rules engine for determining a mitigation action for the incoming call if the anomaly is detected.
  - 17. The method of claim 15 wherein the mitigation action comprises rerouting the incoming call to a guardian module to receive an audio challenge-response test, wherein a complexity level of the test is determined based on the alarm.
  - 18. The method of claim 15 wherein determining if an anomaly exists using multivariate analysis further comprises:
    - computing a distance between the adaptable profile and the reference profile; and
      
      determining if the difference exceeds a threshold.
  - 19. The method of claim 15 further comprising determining the adaptable profile from the plurality of adaptable profiles, including:
    - determining a calling number of the incoming call;
      
      locating one or more received calls from the plurality of received calls with the same calling number; and
      
      selecting the adaptable file, created for the one or more received calls, from the plurality of adaptable profiles.

20. A system for detecting and mitigating network attacks in a VoIP network, the system comprising:
- an analyzer including i) a detection module for detecting a possible attack corresponding to a call, ii) a rules engine for determining a mitigation action to avoid the possible attack, the mitigation action provisioning an audio challenge-response test for the call, and iii) a policy change engine for forwarding information about the mitigation action to one or more modules of the system, the information including a complexity level for administering the audio challenge-response test;
  
  a server for receiving the information from the policy change engine, the server is adapted to;
  
  i) generate a script including variables for identifying a plurality of altered sound files for the audio challenge-response test, and ii) assign a routing label to the call, the routing label including one or more parameters for configuring the variables of the script according to the complexity level; and
  
  a guardian module for receiving the script and the routing label from the server, the guardian module is adapted to define the variables of the generic script to identify the plurality of altered sound files for the challenge-response test and administer the challenge-response test to the call based on the script, wherein each altered sound file is randomly selected by the guardian module subject to the parameters of the routing label.

21. A detection module for detecting and mitigating network attacks in a VoIP network, the detection module comprising:
- a database for maintaining;
  
  i) a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls, and ii) a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;
  
  a profile unit for updating an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call; and
  
  a detector unit for comparing the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles, determining if an anomaly exists based on the comparing using multivariate analysis, and generating an alarm corresponding to the incoming call indicative of the network attack if the anomaly is detected.

22. A computer program product, tangibly embodied in a computer readable medium, for detecting and mitigating network attacks in a VoIP network, the computer program product including instructions being operable to cause data processing apparatus to:
- receive information related to a mitigation action for a call, the mitigation action being generated by an analyzer based on detecting a possible attack by the call, the information including a complexity level for administering an audio challenge-response test to the call;
  
  generate a script including variables for identifying a plurality of altered sound files for the audio challenge-response test;
  
  assign a routing label to the call, the routing label including one or more parameters for configuring the variables of the script according to the complexity level; and
  
  transmit the script and the routing label to the guardian module, wherein the guardian module is adapted to i) define the variables of the script to identify the plurality of altered sound files for the audio challenge-response test, and ii) administer the audio challenge-response test to the call based on the script, each altered sound file being randomly selected by the guardian module subject to the parameters of the routing label.

23. A computer program product, tangibly embodied in a computer readable medium, for generating an altered sound file for a digit that corresponds to a number or a letter, the computer program product including instructions being operable to cause data processing apparatus to:
- receive a complexity level and an input audio file comprising original clear voice sound of the digit;
  
  convert data in the input audio file into normalized digit data;
  
  generate normalized background noise using a noise generation algorithm;
  
  add the normalized background noise to the normalized digit data to generate combined data, the amount of background noise added is based on the complexity level; and
  
  de-normalize the combined data to produce the altered sound file for the digit.

24. A computer program product, tangibly embodied in a computer readable medium, for generating an inter-digit noise file, the computer program product including instructions being operable to cause data processing apparatus to:
- generate normalized background noise using a noise generation algorithm;
  
  add one or more random bits of silence to the normalized background noise;
  
  add one or more random bits of amplitude variation to the normalized background noise; and
  
  de-normalize the normalized background noise to produce the inter-digit noise file.

25. A computer program product, tangibly embodied in a computer readable medium, for detecting and mitigating network attacks in a VoIP network, the computer program product including instructions being operable to cause data processing apparatus to:
- maintain a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls;
  
  maintain a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;
  
  update an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call;
  
  compare the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles;
  
  determine if an anomaly exists based on the comparing using multivariate analysis; and
  
  generate an alarm corresponding to the incoming call indicative of the network attack if the anomaly is detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ribbon Communications Operating Company, Inc. (Ribbon Communications, Inc.)
Original Assignee
Sonus Networks Incorporated (Ribbon Communications, Inc.)
Inventors
Lapsley, David, Matragi, Wassim, Mansur, Miri, Klotzbach, Jonathan, Shu, Ti-yuan Dean, Chary, Sri, Joseph, Joby, Topham, Mark, Dumble, Kenneth

Granted Patent

US 8,719,930 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

REAL-TIME NETWORK ATTACK DETECTION AND MITIGATION INFRASTRUCTURE

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

80 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

REAL-TIME NETWORK ATTACK DETECTION AND MITIGATION INFRASTRUCTURE

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links