SYSTEM AND METHOD FOR VOIP HONEYPOT FOR CONVERGED VOIP SERVICES

US 20120167208A1
Filed: 12/27/2010
Published: 06/28/2012
Est. Priority Date: 12/27/2010
Status: Active Grant

First Claim

Patent Images

1. A method of addressing cyber threats enabled by convergence of data and communications services in an enterprise network, the method comprising a data processor executing computer instructions stored on a non-transitory computer readable storage medium to perform the steps of:

(a) intercepting suspicious incoming VoIP calls from the Internet to the enterprise network, and directing the suspicious incoming VOIP calls to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls; and

(b) intercepting suspicious outgoing VoIP calls from the enterprise network to the Internet, and directing the suspicious outgoing VOIP calls to the VoIP honeypot that acts as a network decoy that responds automatically during call sessions for the suspicious outgoing VOIP calls while tracing the suspicious outgoing VOIP calls.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are systems, methods, and computer-readable storage media for a honeypot addressing cyber threats enabled by convergence of data and communication services in an enterprise network. Suspicious incoming VoIP calls from the Internet to the enterprise network are intercepted and directed to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls. Suspicious outgoing VoIP calls from the enterprise network to the Internet are also intercepted and directed to the VoIP honeypot. Moreover, an unsolicited VoIP call is redirected to the VoIP honeypot when the unsolicited VoIP call has been received by a user agent in the enterprise network and a human user of the user agent confirms that the unsolicited VoIP call was unsolicited.

71 Citations

View as Search Results

20 Claims

1. A method of addressing cyber threats enabled by convergence of data and communications services in an enterprise network, the method comprising a data processor executing computer instructions stored on a non-transitory computer readable storage medium to perform the steps of:
- (a) intercepting suspicious incoming VoIP calls from the Internet to the enterprise network, and directing the suspicious incoming VOIP calls to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls; and
  
  (b) intercepting suspicious outgoing VoIP calls from the enterprise network to the Internet, and directing the suspicious outgoing VOIP calls to the VoIP honeypot that acts as a network decoy that responds automatically during call sessions for the suspicious outgoing VOIP calls while tracing the suspicious outgoing VOIP calls.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as claimed in claim 1, which further includes directing an unsolicited VoIP call to the VoIP honeypot when the unsolicited VoIP call has been received by a user agent in the enterprise network and a human user of the user agent confirms that the unsolicited VoIP call was unsolicited.
  - 3. The method as claimed in claim 1, which further includes a non-VoIP honeypot in the enterprise network responding to suspicious clients issuing VoIP packets by sending the VoIP packets to the VoIP honeypot.
  - 4. The method as claimed in claim 1, which further includes the VoIP honeypot responding to references to non-VoIP resources via Uniform Resource Locators by sending requests for access to the non-VoIP resources to a non-VoIP honeypot in the enterprise network.
  - 5. The method as claimed in claim 1, which further includes detecting a suspicious instant message (IM), and in response to detecting the suspicious instant message (IM), directing the suspicious instant message (IM) to an instant message honeypot that impersonates a human recipient of the instant message (IM) by composing and returning an instant message (IM) response to the instant message (IM).
  - 6. The method as claimed in claim 1, which further includes detecting that an outgoing VoIP call has been triggered by a user clicking on unsolicited electronic mail, and in response to detecting that the outgoing VoIP call has been triggered by a user clicking on unsolicited electronic mail, redirecting the outgoing VoIP call to the VoIP honeypot.
  - 7. The method as claimed in claim 1, which further includes the VoIP honeypot responding during a connected session of a suspicious VoIP call by composing and returning a voice response that impersonates a human recipient.
  - 8. The method as claimed in claim 1, which includes the VoIP honeypot establishing occupancy schedules for virtual users of respective virtual user agents and directing VoIP calls addressed to the virtual user agents to voice mail boxes when the occupancy schedules indicate that the virtual user of the virtual user agents are absent when the VoIP calls addressed to the virtual user agents are received.
  - 9. The method as claimed in claim 1, which further includes the VoIP honeypot identifying suspicious calls as originating from a common source and compiling statistics of the suspicious calls from the common source to identify suspicious calls from an unknown source that are likely to have originated from the common source.

10. A system for addressing cyber threats enabled by convergence of data and communications services in an enterprise network, the system comprising:
- a network computer including a data processor and a non-transitory computer-readable storage medium storing computer instructions that, when executed by the data processor, perform the steps of;
  
  (a) intercepting suspicious incoming VoIP calls from the Internet to the enterprise network, and directing the suspicious incoming VOIP calls to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls; and
  
  (b) intercepting suspicious outgoing VoIP calls from the enterprise network to the Internet, and directing the suspicious outgoing VOIP calls to the VoIP honeypot that acts as a network decoy that responds automatically during call sessions for the suspicious outgoing VOIP calls while tracing the suspicious outgoing VOIP calls.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system as claimed in claim 10, wherein the computer instructions, when executed by the data processor, further direct an unsolicited VoIP call to the VoIP honeypot when the unsolicited VoIP call has been received by a user agent in the enterprise network and a human user of the user agent confirms that the unsolicited VoIP call was unsolicited.
  - 12. The system as claimed in claim 10, which further includes a non-VoIP honeypot in the enterprise network responding to suspicious clients issuing VoIP packets by sending the VoIP packets to the VoIP honeypot.
  - 13. The system as claimed in claim 10 which further includes a non-VOIP honeypot in the enterprise network, the VoIP honeypot responding to references to non-VoIP resources via Uniform Resource Locators by sending requests for access to the non-VoIP resources to the non-VoIP honeypot.
  - 14. The system as claimed in claim 10 wherein the computer instructions, when executed by the data processor, further perform the steps of detecting a suspicious instant message (IM), and in response to detecting the suspicious instant message (IM), directing the suspicious instant message (IM) to an instant message honeypot that impersonates a human recipient of the instant message (IM) by composing and returning an instant message (IM) response to the instant message (IM).
  - 15. The system as claimed in claim 10, wherein the computer instructions, when executed by the data processor, further perform the step of detecting that an outgoing VoIP call has been triggered by a user clicking on unsolicited electronic mail, and in response to detecting that the outgoing VoIP call has been triggered by a user clicking on unsolicited electronic mail, redirecting the outgoing VoIP call to the VoIP honeypot.
  - 16. The system as claimed in claim 10, wherein the VoIP honeypot includes a voice and number response unit for responding during a connected session of a suspicious VoIP call by composing and returning a voice response that impersonates a human recipient.
  - 17. The system as claimed in claim 10, wherein the VoIP honeypot includes occupancy schedules for virtual users of respective virtual user agents and for directing VoIP calls addressed to the virtual user agents to voice mail boxes when the occupancy schedules indicate that the virtual user of the virtual user agents are absent when the VoIP calls addressed to the virtual user agents are received.
  - 18. The system as claimed in claim 10, wherein the VoIP honeypot include an attacker identifier that identifies suspicious calls as originating from a common source and compiles statistics of the suspicious calls from the common source to identify suspicious calls from an unknown source that are likely to have originated from the common source.

19. A non-transitory computer-readable storage medium storing computer instructions that, when executed by a data processor, perform a method of addressing cyber threats enabled by convergence of data and communications services in an enterprise network by the steps of:
- (a) intercepting suspicious incoming VoIP calls from the Internet to the enterprise network, and directing the suspicious incoming VOIP calls to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls; and
  
  (b) intercepting suspicious outgoing VoIP calls from the enterprise network to the Internet, and directing the suspicious outgoing VOIP calls to the VoIP honeypot that acts as a network decoy that responds automatically during call sessions for the suspicious outgoing VOIP calls while tracing the suspicious outgoing VOIP calls.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable storage medium as claimed in claim 19, wherein the computer instructions, when executed by the data processor, further perform the step of directing an unsolicited VoIP call to the VoIP honeypot when the unsolicited VoIP call has been received by a user agent in the enterprise network and a human user of the user agent confirms that the unsolicited VoIP call was unsolicited.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arlington Technologies, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
Avaya Incorporated
Inventors
Buford, John F., Krishnaswamy, Venkatesh

Granted Patent

US 8,752,174 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1408   by monitoring network traff...

H04L 63/1491   using deception as counterm...

H04L 65/1053   IP private branch exchange ...

H04L 65/1069   Session establishment or de...

H04L 65/1079   of unsolicited session atte...

H04M 3/436   Arrangements for screening ...

H04M 3/5183   Call or contact centers wit...

H04M 3/53308   Message originator indirect...

H04M 7/006   Networks other than PSTN/IS...

SYSTEM AND METHOD FOR VOIP HONEYPOT FOR CONVERGED VOIP SERVICES

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR VOIP HONEYPOT FOR CONVERGED VOIP SERVICES

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others