MALICIOUIS USER AGENT DETECTION AND DENIAL OF SERVICE (DOS) DETECTION AND PREVENTION USING FINGERPRINTING
First Claim
1. A method comprising:
- receiving a session control protocol request message;
fingerprinting the session control protocol message;
comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents; and
rejecting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents.
1 Assignment
0 Petitions
Accused Products
Abstract
A method may include receiving a session control protocol request message and fingerprinting the received session control protocol message. The method may further include comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents and rejecting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents. The method may include comparing the fingerprint of the received request message to the list of fingerprints associated with known non-malicious user agents and accepting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known non-malicious user agents.
81 Citations
22 Claims
-
1. A method comprising:
-
receiving a session control protocol request message; fingerprinting the session control protocol message; comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents; and rejecting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
receiving a session control protocol request message; fingerprinting the session control protocol message; comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents; holding the request message when the fingerprint of the received message does not match any fingerprint in the list of fingerprints associated with known malicious user agents; determining whether the received request is associated with an anomalous event when the fingerprint of the request message does not match any fingerprint in the list of fingerprints associated with known malicious user agents; and blocking the received request message when the request is associated with the anomalous event.
-
-
9. The method of claim 9, wherein determining whether the request message is associated with the anomalous event includes:
-
receiving one or more additional session control protocol messages; and fingerprinting each of the additional session control protocol messages, wherein the fingerprint of each of the additional session control protocol messages is identical to the received session control protocol messages, and wherein the number of additional session control protocol messages exceeds a threshold. - View Dependent Claims (10, 11)
-
- 12. The method of claim 12, wherein fingerprinting the header includes fingerprinting the header based on a number of header elements, a content of header elements, or the ordering of header elements.
-
16. A network device comprising:
-
a receiver to receive a session control protocol request message; a memory to store a list of fingerprints associated with known malicious user agents; a processor to; fingerprint the session control protocol message, compare the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents, determine to reject the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification