SECURITY ENHANCEMENTS FOR A SOFTWARE-DEFINED NETWORK WITH NETWORK FUNCTIONS VIRTUALIZATION

US 20160142427A1
Filed: 11/19/2014
Published: 05/19/2016
Est. Priority Date: 11/19/2014
Status: Active Grant

First Claim

Patent Images

1. A network device, comprising:

a processor; and

a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising;

monitoring components of a communication network configured according to a software-defined networking protocol that defines first rules relating to a separation of a control layer associated with the communication network from a forwarding layer associated with the communication network and according to a network functions virtualization protocol that defines second rules relating to functions of the communication network being provided in a virtual environment comprising a virtualized network device;

in response to the monitoring, determining an information security issue based on a set of security protocols; and

generating, in the virtual environment according to the first rules or the second rules, a virtualized resource for the communication network that facilitates mitigation of the information security issue based on the set of security protocols.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication network can be constructed to support software-defined networking (SDN) protocols and network functions virtualization (NFV) protocols. Such a communication network can advantageously be operated at lower costs, increased flexibility and control, and with simplified management to name but a few. In addition to these advantages, various networking security aspects can be enhanced by leveraging the SDN/NFV architecture.

71 Citations

View as Search Results

20 Claims

1. A network device, comprising:
- a processor; and
  
  a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising;
  
  monitoring components of a communication network configured according to a software-defined networking protocol that defines first rules relating to a separation of a control layer associated with the communication network from a forwarding layer associated with the communication network and according to a network functions virtualization protocol that defines second rules relating to functions of the communication network being provided in a virtual environment comprising a virtualized network device;
  
  in response to the monitoring, determining an information security issue based on a set of security protocols; and
  
  generating, in the virtual environment according to the first rules or the second rules, a virtualized resource for the communication network that facilitates mitigation of the information security issue based on the set of security protocols.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The network device of claim 1, wherein the set of security protocols comprises a confidentiality security protocol that promotes a determined confidentiality of first data traversing the communication network, an integrity security protocol that preserves accuracy and consistency of second data maintained by the communication network, an availability security protocol that preserves access to third data maintained by the communication network, and a forensic security protocol that preserves fourth data representing a cause of the information security issue.
  - 3. The network device of claim 1, wherein the information security issue relates to behavior of a first component of the components that violates a first security protocol of the set of security protocols, identification of intrusion data that violates a second security protocol of the set of security protocols, or identification of network traffic associated with a second component of the components that violates a third security protocol of the set of security protocols.
  - 4. The network device of claim 1, wherein the virtualized resource operates to capture an image of a state of the communication network in response to the determining the information security issue.
  - 5. The network device of claim 1, wherein the virtualized resource relates to processing security threat tracing and mitigation protocols in response to the determining the information security issue.
  - 6. The network device of claim 1, wherein the virtualized resource relates to assigning additional processing resources to the virtualized network device in response to the determining the information security issue.
  - 7. The network device of claim 1, wherein the virtualized resource relates to replicating the virtualized network device in response to the determining the information security issue.
  - 8. The network device of claim 1, wherein the operations further comprise:
    - categorizing, based on a defined network traffic parameter of the set of security protocols, network traffic associated with the virtualized network device into a first subset of network traffic and a second subset of network traffic; and
      
      routing the first subset of network traffic to the virtualized network device and the second subset of network traffic to another instance of the virtualized network device in the virtual environment.
  - 9. The network device of claim 1, wherein the operations further comprise eliminating the virtualized resource in response to determining the information security issue has been mitigated.
  - 10. The network device of claim 1, wherein the components of the communication network support long term evolution standards that define an evolved packet core set of devices that operate to process packets as part of an all-Internet protocol network.
  - 11. The network device of claim 10, wherein the evolved packet core set of devices is a virtualized evolved packet core set of devices that operates in the virtual environment.
  - 12. The network device of claim 10, wherein the virtualized evolved packet core set of devices comprises a virtualized serving gateway device that functions as a first virtualized instance of a serving gateway device according to the long term evolution standards, a virtualized packet data network gateway device that functions as a second virtualized instance of a packet data network gateway device according to the long term evolution standards, a virtualized mobility management entity that functions as a third virtualized instance of a mobility management entity device according to the long term evolution standards, and a virtualized home subscriber server that functions as a fourth virtualized instance of a home subscriber server device according to the long term evolution standards.

13. A method, comprising:
- controlling, by a device comprising a processor, a virtual environment comprising a virtualized device of a communication network configured according to a software-defined networking protocol that defines first rules relating to a separation of a control layer associated with the communication network from a forwarding layer associated with the communication network and according to a network functions virtualization protocol that defines second rules relating to functions of the communication network being provided in the virtual environment;
  
  monitoring, by the device, a set of network devices associated with the communication network and the virtualized device;
  
  determining, by the device, an information security threat based on a set of security protocols; and
  
  generating, by the device, a virtualized resource in the virtual environment that mitigates the information security threat according to the set of security protocols.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein the generating the virtualized resource comprises generating the virtualized resource operating to capture an image of a state of the communication network in response to the determining the information security threat.
  - 15. The method of claim 13, wherein the generating the virtualized resource comprises generating the virtualized resource operating to identify a source of the information security threat in response to the determining the information security threat.
  - 16. The method of claim 15, further comprising generating a second virtualized resource operating to mitigate the security threat based on an identification of the source.
  - 17. The method of claim 13, wherein the generating the virtualized resource comprises replicating the virtualized device in response to the determining the information security threat.

18. A computer readable storage device comprising executable instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising:
- controlling a virtual environment of a communication network comprising a virtualized network device configured according to a software-defined networking protocol that defines first rules relating to a separation of a control layer associated with the communication network from a forwarding layer associated with the communication network and according to a network functions virtualization protocol that defines second rules relating to functions of the communication network being provided in the virtual environment;
  
  monitoring the virtualized device and a set of network devices associated with the communication network;
  
  determining an information security issue based on a set of security protocols; and
  
  generating a virtualized resource in the virtual environment to reduce an effect of the information security issue according to the set of security protocols.
- View Dependent Claims (19, 20)
- - 19. The computer readable storage device of claim 18, wherein the virtualized resource operates to capture an image of a state of the communication network in response to the determining the information security issue.
  - 20. The computer readable storage device of claim 18, wherein the virtualized resource replicates the virtualized network device in response to the determining the information security issue.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Piqueras Jover, Roger, de los Reyes, Gustavo

Granted Patent

US 9,742,807 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

H04L 63/20 for managing network securi...

SECURITY ENHANCEMENTS FOR A SOFTWARE-DEFINED NETWORK WITH NETWORK FUNCTIONS VIRTUALIZATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

71 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY ENHANCEMENTS FOR A SOFTWARE-DEFINED NETWORK WITH NETWORK FUNCTIONS VIRTUALIZATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links