REAL-TIME NETWORK ATTACK DETECTION AND MITIGATION INFRASTRUCTURE
First Claim
1. A method of detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network, comprising:
- receiving, by a server, information related to a mitigation action for a call, the mitigation action being generated by an analyzer based on detecting a possible attack by the call, the information including a complexity level for administering an audio challenge-response test to the call;
generating, by the server, a script including variables for identifying a plurality of altered sound files for the audio challenge-response test;
assigning, by the server, a routing label to the call, the routing label including one or more parameters for configuring the variables of the script according to the complexity level; and
transmitting, by the server, the script and the routing label to the guardian module;
defining, by the guardian module, the variables of the script to identify the plurality of altered sound files for the audio challenge-response test, wherein each altered sound file is randomly selected by the guardian module subject to the parameters of the routing label; and
administering, by the guardian module, the audio challenge-response test to the call based on the script.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention features systems and methods for detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network. A server is configured to receive information related to a mitigation action for a call. The information can include a complexity level for administering an audio challenge-response test to the call and an identification of the call. The server also generates i) a routing label based on the identification of the call, and ii) a script defining a plurality of variables that store identifications of a plurality of altered sound files for the audio challenge-response test. Each altered sound file is randomly selected by the server subject to one or more constraints associated with the complexity level. The server is further configured to transmit the script to a guardian module and the routing label to a gateway.
80 Citations
25 Claims
-
1. A method of detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network, comprising:
-
receiving, by a server, information related to a mitigation action for a call, the mitigation action being generated by an analyzer based on detecting a possible attack by the call, the information including a complexity level for administering an audio challenge-response test to the call; generating, by the server, a script including variables for identifying a plurality of altered sound files for the audio challenge-response test; assigning, by the server, a routing label to the call, the routing label including one or more parameters for configuring the variables of the script according to the complexity level; and transmitting, by the server, the script and the routing label to the guardian module; defining, by the guardian module, the variables of the script to identify the plurality of altered sound files for the audio challenge-response test, wherein each altered sound file is randomly selected by the guardian module subject to the parameters of the routing label; and administering, by the guardian module, the audio challenge-response test to the call based on the script. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of generating an altered sound file for a digit that corresponds to a number or a letter, the method comprising:
-
receiving a complexity level and an input audio file comprising original clear voice sound of the digit; converting data in the input audio file into normalized digit data; generating normalized background noise using a noise generation algorithm; adding the normalized background noise to the normalized digit data to generate combined data, the amount of background noise added being based on the complexity level; and de-normalizing the combined data to produce the altered sound file for the digit. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A method of generating an inter-digit noise file, the method comprising:
-
generating normalized background noise using a noise generation algorithm; adding one or more random bits of silence to the normalized background noise; adding one or more random bits of amplitude variation to the normalized background noise; and de-normalizing the normalized background noise to produce the inter-digit noise file.
-
-
15. A method of detecting and mitigating network attacks in a VoIP network, comprising:
-
maintaining, by a detection module, a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls; maintaining, by the detection module, a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles; updating, by the detection module, an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call; comparing, by the detection module, the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles; determining, by the detection module, if an anomaly exists based on the comparing using multivariate analysis; and generating, by the detection module, an alarm corresponding to the incoming call indicative of the network attack if the anomaly is detected. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A system for detecting and mitigating network attacks in a VoIP network, the system comprising:
-
an analyzer including i) a detection module for detecting a possible attack corresponding to a call, ii) a rules engine for determining a mitigation action to avoid the possible attack, the mitigation action provisioning an audio challenge-response test for the call, and iii) a policy change engine for forwarding information about the mitigation action to one or more modules of the system, the information including a complexity level for administering the audio challenge-response test; a server for receiving the information from the policy change engine, the server is adapted to;
i) generate a script including variables for identifying a plurality of altered sound files for the audio challenge-response test, and ii) assign a routing label to the call, the routing label including one or more parameters for configuring the variables of the script according to the complexity level; anda guardian module for receiving the script and the routing label from the server, the guardian module is adapted to define the variables of the generic script to identify the plurality of altered sound files for the challenge-response test and administer the challenge-response test to the call based on the script, wherein each altered sound file is randomly selected by the guardian module subject to the parameters of the routing label.
-
-
21. A detection module for detecting and mitigating network attacks in a VoIP network, the detection module comprising:
-
a database for maintaining;
i) a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls, and ii) a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles;a profile unit for updating an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call; and a detector unit for comparing the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles, determining if an anomaly exists based on the comparing using multivariate analysis, and generating an alarm corresponding to the incoming call indicative of the network attack if the anomaly is detected.
-
-
22. A computer program product, tangibly embodied in a computer readable medium, for detecting and mitigating network attacks in a VoIP network, the computer program product including instructions being operable to cause data processing apparatus to:
-
receive information related to a mitigation action for a call, the mitigation action being generated by an analyzer based on detecting a possible attack by the call, the information including a complexity level for administering an audio challenge-response test to the call; generate a script including variables for identifying a plurality of altered sound files for the audio challenge-response test; assign a routing label to the call, the routing label including one or more parameters for configuring the variables of the script according to the complexity level; and transmit the script and the routing label to the guardian module, wherein the guardian module is adapted to i) define the variables of the script to identify the plurality of altered sound files for the audio challenge-response test, and ii) administer the audio challenge-response test to the call based on the script, each altered sound file being randomly selected by the guardian module subject to the parameters of the routing label.
-
-
23. A computer program product, tangibly embodied in a computer readable medium, for generating an altered sound file for a digit that corresponds to a number or a letter, the computer program product including instructions being operable to cause data processing apparatus to:
-
receive a complexity level and an input audio file comprising original clear voice sound of the digit; convert data in the input audio file into normalized digit data; generate normalized background noise using a noise generation algorithm; add the normalized background noise to the normalized digit data to generate combined data, the amount of background noise added is based on the complexity level; and de-normalize the combined data to produce the altered sound file for the digit.
-
-
24. A computer program product, tangibly embodied in a computer readable medium, for generating an inter-digit noise file, the computer program product including instructions being operable to cause data processing apparatus to:
-
generate normalized background noise using a noise generation algorithm; add one or more random bits of silence to the normalized background noise; add one or more random bits of amplitude variation to the normalized background noise; and de-normalize the normalized background noise to produce the inter-digit noise file.
-
-
25. A computer program product, tangibly embodied in a computer readable medium, for detecting and mitigating network attacks in a VoIP network, the computer program product including instructions being operable to cause data processing apparatus to:
-
maintain a plurality of adaptable profiles that capture statistical and behavioral properties of call detail records (CDRs) associated with a plurality of received calls; maintain a plurality of reference profiles that reflect normal call behavior corresponding to the plurality of adaptable profiles; update an adaptable profile from the plurality of adaptable profiles based on a CDR of an incoming call; compare the updated adaptable profile with a corresponding reference profile from the plurality of reference profiles; determine if an anomaly exists based on the comparing using multivariate analysis; and generate an alarm corresponding to the incoming call indicative of the network attack if the anomaly is detected.
-
Specification