MALICIOUIS USER AGENT DETECTION AND DENIAL OF SERVICE (DOS) DETECTION AND PREVENTION USING FINGERPRINTING

US 20120210421A1
Filed: 02/11/2011
Published: 08/16/2012
Est. Priority Date: 02/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a session control protocol request message;

fingerprinting the session control protocol message;

comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents; and

rejecting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method may include receiving a session control protocol request message and fingerprinting the received session control protocol message. The method may further include comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents and rejecting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents. The method may include comparing the fingerprint of the received request message to the list of fingerprints associated with known non-malicious user agents and accepting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known non-malicious user agents.

81 Citations

View as Search Results

22 Claims

1. A method comprising:
- receiving a session control protocol request message;
  
  fingerprinting the session control protocol message;
  
  comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents; and
  
  rejecting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1,wherein the session control protocol request message includes a Session Initiation Protocol (SIP) request message having a header, andwherein fingerprinting the session control protocol message includes fingerprinting the header of the SIP request message.
  - 3. The method of claim 2, wherein fingerprinting the header includes fingerprinting the header based on a number of header elements, a content of header elements, or the ordering of header elements.
  - 4. The method of claim 2, wherein fingerprinting the header includes fingerprinting a Call-ID field in the header.
  - 5. The method of claim 2, further comprising:
    - comparing the fingerprint of the received request message to the list of fingerprints associated with known non-malicious user agents; and
      
      accepting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known non-malicious user agents.
  - 6. The method of claim 5, further comprising:
    - determining whether the received request is associated with an anomalous event when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known malicious user agents and when the fingerprint of the request message does not match any fingerprints in the list of fingerprints associated with known non-malicious user agents; and
      
      adding the fingerprint of the received request to the list of fingerprints associated with known malicious user agents when the received request is associated with an anomalous event.
  - 7. The method of claim 5, further comprising:
    - determining whether the received request is associated with an anomalous event when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known malicious user agents and when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known non-malicious user agents; and
      
      adding the fingerprint of the received request to the list of fingerprints associated with known non-malicious user agents when the received request is not associated with an anomalous event.

8. A method comprising:
- receiving a session control protocol request message;
  
  fingerprinting the session control protocol message;
  
  comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents;
  
  holding the request message when the fingerprint of the received message does not match any fingerprint in the list of fingerprints associated with known malicious user agents;
  
  determining whether the received request is associated with an anomalous event when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known malicious user agents; and
  
  blocking the received request message when the request is associated with the anomalous event.

9. The method of claim 9, wherein determining whether the request message is associated with the anomalous event includes:
- receiving one or more additional session control protocol messages; and
  
  fingerprinting each of the additional session control protocol messages, wherein the fingerprint of each of the additional session control protocol messages is identical to the received session control protocol messages, and wherein the number of additional session control protocol messages exceeds a threshold.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, further comprising:
    - adding the fingerprint of the received request to the list of fingerprints associated with known malicious user agents when the received request is associated with an anomalous event.
  - 11. The method of claim 9,wherein the session control protocol request message includes a Session Initiation Protocol (SIP) request message having a header, andwherein fingerprinting the session control protocol message includes fingerprinting the header of the SIP request message.

12. The method of claim 12, wherein fingerprinting the header includes fingerprinting the header based on a number of header elements, a content of header elements, or the ordering of header elements.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein fingerprinting the header includes fingerprinting a Call-ID field in the header.
  - 14. The method of claim 12, further comprising:
    - comparing the fingerprint of the received request message to a list of fingerprints associated with known non-malicious user agents; and
      
      accepting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known non-malicious user agents.
  - 15. The method of claim 12, further comprising:
    - determining whether the received request is associated with an anomalous event when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known malicious user agents and when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known non-malicious user agents; and
      
      adding the fingerprint of the received request to a list of fingerprints associated with known non-malicious user agents when the received request is not associated with an anomalous event.

16. A network device comprising:
- a receiver to receive a session control protocol request message;
  
  a memory to store a list of fingerprints associated with known malicious user agents;
  
  a processor to;
  
  fingerprint the session control protocol message,compare the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents,determine to reject the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The network device of claim 16,wherein the session control protocol request message includes a Session Initiation Protocol (SIP) request message having a header, andwherein the processor is configured to fingerprint the session control protocol message includes fingerprinting the header of the SIP request message.
  - 18. The network device of claim 17, wherein the processor is configured to fingerprint the header based on a number of header elements, a content of header elements, or the ordering of header elements.
  - 19. The network device of claim 17, wherein the processor is configured to fingerprint a Call-ID field in the header.
  - 20. The network device of claim 17, wherein the processor is configured to:
    - compare the fingerprint of the received request message to the list of fingerprints associated with known non-malicious user agents; and
      
      determine to accept the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known non-malicious user agents.
  - 21. The network device of claim 20, wherein the processor is further configured to:
    - determine whether the received request is associated with an anomalous event when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known malicious user agents and when the fingerprint of the request message does not match any fingerprints in the list of fingerprints associated with known non-malicious user agents; and
      
      add the fingerprint of the received request to the list of fingerprints associated with known malicious user agents when the received request is associated with an anomalous event.
  - 22. The network device of claim 20, further comprising:
    - determining whether the received request is associated with an anomalous event when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known malicious user agents and when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known non-malicious user agents; and
      
      adding the fingerprint of the received request to the list of fingerprints associated with known non-malicious user agents when the received request is not associated with an anomalous event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Ormazabal, Gaston S., Schulzrinne, Henning G.

Granted Patent

US 8,689,328 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

MALICIOUIS USER AGENT DETECTION AND DENIAL OF SERVICE (DOS) DETECTION AND PREVENTION USING FINGERPRINTING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

81 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

MALICIOUIS USER AGENT DETECTION AND DENIAL OF SERVICE (DOS) DETECTION AND PREVENTION USING FINGERPRINTING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links