System for intrusion detection and vulnerability analysis in a telecommunications signaling network

US 6,711,127 B1
Filed: 07/31/1998
Issued: 03/23/2004
Est. Priority Date: 07/31/1998
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus for providing indications of attempted intrusion in a telecommunications signaling network, comprising:

means for receiving network messages related to communications in the telecommunications signaling network;

means for applying intrusion rules to the network messages in order to detect anomalies in the network messages;

means for classifying the detected anomalies according to particular criteria; and

means for reporting an indication of the classifications of the detected anomalies.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting attempted intrusions in a telecommunications signaling network and assessing the vulnerability of the network to attempted intrusions. Intrusion rules are applied to received messages in the network in real-time, using a known protocol for the network, in order to detect anomalies tending to indicate an attempted intrusion. In order to assess the vulnerability of the network, vulnerability rules are applied to rankings of particular parameters relating to elements in the network. The rankings provide an indication of susceptibility of a network element to an attempted intrusion relative to other network elements.

Citations

39 Claims

1. An apparatus for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
- means for receiving network messages related to communications in the telecommunications signaling network;
  
  means for applying intrusion rules to the network messages in order to detect anomalies in the network messages;
  
  means for classifying the detected anomalies according to particular criteria; and
  
  means for reporting an indication of the classifications of the detected anomalies.
- View Dependent Claims (2, 3, 4, 5, 6, 21, 22)
- - 2. The apparatus of claim 1 wherein the receiving means includes means for receiving predefined test network messages.
  - 3. The apparatus of claim 1 wherein the receiving means includes means for parsing and formatting the network messages as required for the application of the intrusion rules.
  - 4. The apparatus of claim 1 wherein the applying means includes means for comparing the network messages with information related to a known protocol for the telecommunications signaling network.
  - 5. The apparatus of claim 1 wherein the reporting means includes
- 6. The apparatus of claim 5 wherein the reporting means includesmeans for presenting in the user interface indications of alarms representing the attempted intrusions.
- 21. The apparatus of claim 1 wherein the reporting means includes means for generating, based upon the intrusion rules, a time-stamped listing of the classification of anomalies and the corresponding network messages.
- 22. The apparatus of claim 1 wherein the reporting means includes means for generating statistics, based on particular criteria, concerning the network messages.

7. An apparatus for determining a vulnerability of a telecommunications signaling network to attempted intrusions, comprising:
- means for receiving rankings for particular parameters related to elements of the telecommunications signaling network;
  
  means for applying vulnerability rules to the rankings in order to determine a likelihood of an attempted intrusion into the corresponding elements of the telecommunications signaling network, including means for determining a particular type of vulnerability of the corresponding elements; and
  
  means for reporting an indication of the likelihood of the attempted intrusions, including means for determining, based upon the particular type of vulnerability, an action affecting the corresponding elements in order to reduce the likelihood of the attempted intrusion in the corresponding elements.
- View Dependent Claims (8, 9, 10)
- - 8. The apparatus of claim 7 wherein the receiving means includes
- 9. The apparatus of claim 7 wherein the applying means includesmeans for combining the rankings according to particular criteria in order to produce numerical results providing indications of the likelihood of the attempted intrusions relative to the corresponding elements in the telecommunications signaling network.
- 10. The apparatus of claim 7 wherein the reporting means includesmeans for reporting a most vulnerable node and a most vulnerable link in the telecommunications signaling network.

11. A method for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
- receiving network messages related to communications in the telecommunications signaling network;
  
  applying intrusion rules to the network messages in order to detect anomalies in the network messages;
  
  classifying the detected anomalies according to particular criteria; and
  
  reporting an indication of the classifications of the detected anomalies.
- View Dependent Claims (12, 13, 14, 15, 16, 24, 25)
- - 12. The method of claim 11 wherein the receiving step includes receiving predefined test network messages.
  - 13. The method of claim 11 wherein the receiving step includes parsing and formatting the network messages as required for the application of the intrusion rules.
  - 14. The method of claim 11 wherein the applying step includes comparing the network messages with information related to a known protocol for the telecommunications signaling network.
  - 15. The method of claim 11 wherein the reporting step includes presenting in a user interface a topological representation of a portion of the telecommunications signaling network.
  - 16. The method of claim 15 wherein the reporting step includes presenting in the user interface indications of alarms representing the attempted intrusions.
  - 24. The method of claim 11 wherein the reporting step includes generating, based upon the intrusion rules, a time-stamped listing of the classification of anomalies and the corresponding network messages.
  - 25. The method of claim 11 wherein the reporting step includes generating statistics, based on particular criteria, concerning the network messages.

17. A method for determining a vulnerability of a telecommunications signaling network to attempted intrusions, comprising:
- receiving rankings for particular parameters related to elements of the telecommunications signaling network;
  
  applying vulnerability rules to the rankings in order to determine a likelihood of an attempted intrusion into the corresponding elements of the telecommunications signaling network, including determining a particular type of vulnerability of the corresponding elements; and
  
  reporting an indication of the likelihood of the attempted intrusions, including determining, based upon the particular type of vulnerability, an action affecting the corresponding elements in order to reduce the likelihood of the attempted intrusion in the corresponding elements.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 wherein the receiving step includes presenting a user interface for receiving the rankings.
  - 19. The method of claim 17 wherein the applying step includes combining the rankings according to particular criteria in order to produce numerical results providing indications of the likelihood of the attempted intrusions relative to the corresponding elements in the telecommunications signaling network.
  - 20. The method of claim 17 wherein the reporting step includes reporting a most vulnerable node and a most vulnerable link in the telecommunications signaling network.

23. An apparatus for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
- means for receiving a first message related to communications in the telecommunications signaling network and referring to a particular link in the network;
  
  means for applying an intrusion rule to the first message in order to detect anomalies in the first message, including determining if a second message of a predefined type was previously detected on the particular link; and
  
  means for reporting an indication of the detected anomalies.

26. A method for providing indications of attempted intrusion in a telecommunications signaling network, comprising:
- receiving a first message related to communications in the telecommunications signaling network and referring to a particular link in the network;
  
  applying an intrusion rule to the first message in order to detect anomalies in the first message, including determining if a second message of a predefined type was previously detected on the particular link; and
  
  reporting an indication of the detected anomalies.

27. A system for analyzing network communications, comprising:
- a monitoring analyzer module to selectively receive data transmitted in said network;
  
  a data collector process module to receive said data from said monitoring analyzer module and to parse and reformat said data into reformatted data;
  
  an intrusion detection process module to receive said reformatted data from said data collector process module, to apply intrusion rules to said reformatted data, and to generate results; and
  
  a display management process module to format said results into display data.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The system as recited in claim 27, further comprising a display device to display said display data to a user.
  - 29. The system as recited in claim 27, wherein said monitoring analyzer module to selectively receives preformatted test data.
  - 30. The system as recited in claim 27, wherein said data transmitted in said network is real-time network data.
  - 31. The system as recited in claim 27, wherein said intrusion rules are applied to said reformatted data to detect anomalies in said data transmitted in said network.
  - 32. The system as recited in claim 27, wherein said intrusion rules are applied to detect events indicating attempted intrusions into said network.
  - 33. The system as recited in claim 27, wherein said intrusion rules are applied to detect events indicating attempted tampering with said network.
  - 34. The system as recited in claim 27, further comprising an intrusion log to maintain a time-stamped history of said results.
  - 35. The system as recited in claim 27, further comprising a topology database to store information related to said network.
  - 36. The system as recited in claim 35, wherein said information represents at least one of a topology of said network and interconnectivity of said network.
  - 37. The system as recited in claim 35, wherein said topology database to stores said intrusion rules.
  - 38. The system as recited in claim 27, wherein said network is a telecommunications signaling network and said data is telecommunications signaling network messages.
  - 39. The system as recited in claim 38, wherein said telecommunication signaling network is a signaling system 7 network and said telecommunications signaling network messages are signaling system 7 messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
General Dynamics Government Systems Corporation (General Dynamics Corporation)
Original Assignee
General Dynamics Government Systems Corporation (General Dynamics Corporation)
Inventors
Moy, David, Gorman, David B., Gearhart, G. Duane, Conrad, Beverly, Catherine, Gregory J., Peragine, Richard
Primary Examiner(s)
Nguyen, Chau
Assistant Examiner(s)
HYUN, SOON D

Application Number

US09/127,241
Time in Patent Office

2,062 Days
Field of Search

370/230, 370/235, 370/236, 370/252, 370/385, 370/403, 370/410, 370/522, 370/524, 713/200, 713/201, 709/223, 709/224, 709/225, 379/229, 379/230
US Class Current

370/230
CPC Class Codes

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04Q 3/0025   Provisions for signalling

System for intrusion detection and vulnerability analysis in a telecommunications signaling network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

System for intrusion detection and vulnerability analysis in a telecommunications signaling network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links