System for intrusion detection and vulnerability analysis in a telecommunications signaling network
First Claim
1. An apparatus for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
- means for receiving network messages related to communications in the telecommunications signaling network;
means for applying intrusion rules to the network messages in order to detect anomalies in the network messages;
means for classifying the detected anomalies according to particular criteria; and
means for reporting an indication of the classifications of the detected anomalies.
3 Assignments
0 Petitions
Accused Products
Abstract
Detecting attempted intrusions in a telecommunications signaling network and assessing the vulnerability of the network to attempted intrusions. Intrusion rules are applied to received messages in the network in real-time, using a known protocol for the network, in order to detect anomalies tending to indicate an attempted intrusion. In order to assess the vulnerability of the network, vulnerability rules are applied to rankings of particular parameters relating to elements in the network. The rankings provide an indication of susceptibility of a network element to an attempted intrusion relative to other network elements.
-
Citations
39 Claims
-
1. An apparatus for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
-
means for receiving network messages related to communications in the telecommunications signaling network;
means for applying intrusion rules to the network messages in order to detect anomalies in the network messages;
means for classifying the detected anomalies according to particular criteria; and
means for reporting an indication of the classifications of the detected anomalies. - View Dependent Claims (2, 3, 4, 5, 6, 21, 22)
means for presenting in a user interface a topological representation of a portion of the telecommunications signaling network. -
6. The apparatus of claim 5 wherein the reporting means includes
means for presenting in the user interface indications of alarms representing the attempted intrusions. -
21. The apparatus of claim 1 wherein the reporting means includes means for generating, based upon the intrusion rules, a time-stamped listing of the classification of anomalies and the corresponding network messages.
-
22. The apparatus of claim 1 wherein the reporting means includes means for generating statistics, based on particular criteria, concerning the network messages.
-
-
7. An apparatus for determining a vulnerability of a telecommunications signaling network to attempted intrusions, comprising:
-
means for receiving rankings for particular parameters related to elements of the telecommunications signaling network;
means for applying vulnerability rules to the rankings in order to determine a likelihood of an attempted intrusion into the corresponding elements of the telecommunications signaling network, including means for determining a particular type of vulnerability of the corresponding elements; and
means for reporting an indication of the likelihood of the attempted intrusions, including means for determining, based upon the particular type of vulnerability, an action affecting the corresponding elements in order to reduce the likelihood of the attempted intrusion in the corresponding elements. - View Dependent Claims (8, 9, 10)
means for presenting a user interface for receiving the rankings. -
9. The apparatus of claim 7 wherein the applying means includes
means for combining the rankings according to particular criteria in order to produce numerical results providing indications of the likelihood of the attempted intrusions relative to the corresponding elements in the telecommunications signaling network. -
10. The apparatus of claim 7 wherein the reporting means includes
means for reporting a most vulnerable node and a most vulnerable link in the telecommunications signaling network.
-
-
11. A method for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
-
receiving network messages related to communications in the telecommunications signaling network;
applying intrusion rules to the network messages in order to detect anomalies in the network messages;
classifying the detected anomalies according to particular criteria; and
reporting an indication of the classifications of the detected anomalies. - View Dependent Claims (12, 13, 14, 15, 16, 24, 25)
-
-
17. A method for determining a vulnerability of a telecommunications signaling network to attempted intrusions, comprising:
-
receiving rankings for particular parameters related to elements of the telecommunications signaling network;
applying vulnerability rules to the rankings in order to determine a likelihood of an attempted intrusion into the corresponding elements of the telecommunications signaling network, including determining a particular type of vulnerability of the corresponding elements; and
reporting an indication of the likelihood of the attempted intrusions, including determining, based upon the particular type of vulnerability, an action affecting the corresponding elements in order to reduce the likelihood of the attempted intrusion in the corresponding elements. - View Dependent Claims (18, 19, 20)
-
-
23. An apparatus for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
-
means for receiving a first message related to communications in the telecommunications signaling network and referring to a particular link in the network;
means for applying an intrusion rule to the first message in order to detect anomalies in the first message, including determining if a second message of a predefined type was previously detected on the particular link; and
means for reporting an indication of the detected anomalies.
-
-
26. A method for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
-
receiving a first message related to communications in the telecommunications signaling network and referring to a particular link in the network;
applying an intrusion rule to the first message in order to detect anomalies in the first message, including determining if a second message of a predefined type was previously detected on the particular link; and
reporting an indication of the detected anomalies.
-
-
27. A system for analyzing network communications, comprising:
-
a monitoring analyzer module to selectively receive data transmitted in said network;
a data collector process module to receive said data from said monitoring analyzer module and to parse and reformat said data into reformatted data;
an intrusion detection process module to receive said reformatted data from said data collector process module, to apply intrusion rules to said reformatted data, and to generate results; and
a display management process module to format said results into display data. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
Specification