Method of and apparatus for mediating common channel signaling message between networks using control message templates

US 7,184,538 B1
Filed: 01/24/2001
Issued: 02/27/2007
Est. Priority Date: 06/30/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A communication network, comprising:

(A) local communication links,(B) a plurality of separately located central office switching systems interconnected via trunk circuits for selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages,(C) a signaling communication system for two-way communications of said control data messages between at least said central office switching systems, said signaling communication system interconnecting the central office switching systems;

(D) a signaling gateway, separate from the central office switching systems and connected to said signaling communications system, said signaling gateway including an interface connected to a remote communications network and configured to exchange said control data messages between said remote communication network and said central office switching systems by way of said signaling communication system, and(E) a signaling system security monitor, separate from the central office switching systems, said signaling system security monitor including a plurality of message templates corresponding to approved individual ones of said control data messages, sequences of such control data messages and informational relationships between the data contents of such data messages, said signaling system security monitor being responsive to said message templates to perform syntax and content dependent screening of said control data messages, said content dependent screening including checking appropriateness of said control data messages in context of (i) a state of the communications network and (ii) prior related messages.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication network includes a Security Gatekeeper that authenticates and validates network control messages within, transiting, entering and leaving an overlying control fabric such as an SS7 network. The Security Gatekeeper incorporates several levels of checks to ensure that messages are properly authenticated, valid, and consistent with call progress and system status. In addition to message format, message content is checked to ensure that the originating node has the proper authority to send the message and to invoke the related functions and that the message, itself, is appropriately coded. Predefined sets of templates may be used to check the messages, each set of templates being associated with respective originating point codes and/or calling party addresses. The templates may also be associated with various system states such that messages corresponding to a particular template cause a state transition along a particular edge to a next state node for which another set of templates is defined. Thus, system, call and/or transaction state are maintained. The monitor also includes signaling point authentication using digital signatures and timestamps. Timestamps are also used to initiate appropriate timeouts and so that old or improperly sequenced message may be ignored, corrected or otherwise processed appropriately. The Security Gatekeeper may be located at the edge of a network to be protected so that all messaging to and from the protected network must enter and egress by way of the Gatekeeper. Alternatively, the Security Gatekeeper may be internal to the protected network. In this configuration, ISUP traffic can be monitored by configuring the Security Gatekeeper as a “pseudo switch” so that ISUP messaging is routed through the Gatekeeper on its way between interconnected SSPs, while actual bearer traffic is trunked directly between the associated SSPs, bypassing the Gatekeeper.

62 Citations

View as Search Results

32 Claims

1. A communication network, comprising:
- (A) local communication links,(B) a plurality of separately located central office switching systems interconnected via trunk circuits for selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages,(C) a signaling communication system for two-way communications of said control data messages between at least said central office switching systems, said signaling communication system interconnecting the central office switching systems;
  
  (D) a signaling gateway, separate from the central office switching systems and connected to said signaling communications system, said signaling gateway including an interface connected to a remote communications network and configured to exchange said control data messages between said remote communication network and said central office switching systems by way of said signaling communication system, and(E) a signaling system security monitor, separate from the central office switching systems, said signaling system security monitor including a plurality of message templates corresponding to approved individual ones of said control data messages, sequences of such control data messages and informational relationships between the data contents of such data messages, said signaling system security monitor being responsive to said message templates to perform syntax and content dependent screening of said control data messages, said content dependent screening including checking appropriateness of said control data messages in context of (i) a state of the communications network and (ii) prior related messages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The communications network according to claim 1 wherein said plurality of message templates are associated with a plurality of service providers.
  - 3. The communications network according to claim 2 wherein said signaling system security monitor associates each of said control data messages with a corresponding one of said service providers and selects one or more of said message templates in response to the corresponding to one of said service providers.
  - 4. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing sets of templates, each of said sets corresponding to control messages appropriate to particular call progress or transaction flow.
  - 5. The communications network according to claim 4 wherein said templates define message formats, parameters and values associated with control message types selected from MTP, SCCP, ISUP, TCAP and AIN type messages.
  - 6. The communications network according to claim 4 wherein said signaling system security monitor is configured to select from among said sets of templates in response to service provider authorization data associated with respective ones of said control data messages.
  - 7. The communications network according to claim 1 wherein said signaling system security monitor is configured to selectively communicate and selectively modify so as to bring into conformance with expectations said control data messages between said signaling gateway and corresponding ones of said central office switching systems by way of said signaling communication system in response to said control messages satisfying criteria specified by corresponding ones of said templates.
  - 8. The communications network according to claim 1 wherein said signaling system security monitor is configured to selectively (i) enable and inhibit said signaling gateway from exchanging and (ii) modify so as to bring into conformance with expectations said control data messages between said central office switching systems by way of said remote communication network and said signaling communication system.
  - 9. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing states of respective ones of said central office switching systems, said signaling system security monitor responsive to said states for selecting ones of said templates.
  - 10. The communications network according to claim 1 wherein said signaling gateway further comprises a signal protocol converter configured to convert SS7 type messages to another packet data format.
  - 11. The communications network according to claim 10 wherein the other packet data format is an Internet Protocol (IP) format.
  - 12. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor information contained in an MTP Layer 3 portion of said control data messages.
  - 13. The communications network according to claim 12 wherein said information contained in said MTP Layer 3 portion of said control data messages includes (i) a destination point code, (ii) an originating point code, and (iii) a service indicator octet.
  - 14. The communications network according to claim 12 wherein said signaling system security monitor is configured to monitor at least one of MTP, SCCP, ISUP, TCAP, and AIN messages.
  - 15. The communications network according to claim 12 wherein said signaling system security monitor is configured to monitor a plurality of message types selected from MTP, SCCP, ISUP, TCAP, and AIN type messages.
  - 16. The communications network according to claim 12 wherein said signaling system security monitor is configured to monitor calling and called party address parameters contained in SCCP message portions of said control data messages.
  - 17. The communications network according to claim 16 wherein said signaling system security monitor is configured to determine if said monitored calling and called party address parameters are consistent with an authorized signaling relationship.
  - 18. The communications network according to claim 12 wherein said signaling system security monitor is configured to monitor origination and destination point codes and calling and called party address parameters contained in the header of an SCCP message of said control data messages.
  - 19. The communications network according to claim 12 wherein said signaling system security monitor is configured to monitor the originating and destination point code parameters contained in the MTP message portion, as well as the calling and called party address parameters found in the SCCP message portion of said control data messages and determine if a particular originating application is authorized to send a particular TCAP message to a particular destination application.
  - 20. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing a state of said communications network.
  - 21. The communication network according to claim 1 wherein said signaling system security monitor includes a memory storing permissible states of said communications network and said templates include data indicating allowable next one(s) of said states.
  - 22. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing data relating call progress status with respective sets of control messages appropriate to initiate a next action consistent with a particular service.
  - 23. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing data relating a transaction state with respective sets of control messages appropriate to initiate a next action consistent with a particular service.
  - 24. The communications network according to claim 1 wherein said signaling system security monitor comprises a certification agent configured to exchange and maintain encryption key certificates.
  - 25. The communications network according to claim 1 wherein said signaling system security monitor is configured to issue and decrypt digital time stamps.

26. A method of securely interfacing control links of respective communication networks, comprising the steps of:
- storing a plurality of control message templates;
  
  exchanging control data messages between a remote communication network and a plurality of switching systems via a local signaling communication system;
  
  selecting ones of said control message templates in response to respective ones of said control messages;
  
  determining, using said templates, if said control data messages are proper including, responsive to said message templates, performing syntax and content dependent screening of said control data messages, said content dependent screening including checking appropriateness of said control data messages in context of (i) a state of the communications network and (ii) prior related messages;
  
  in response to said determining step, selectively communicating and selectively modifying so as to bring into conformance with expectations said control data messages between said central office switching systems;
  
  selectively routing messages from an incoming link to an outgoing link in response to said control data messages; and
  
  selectively generating control messages to help restore system integrity in cases where control messages are disallowed.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. The method according to claim 26 wherein said plurality of control message templates are associated with a plurality of service providers.
  - 28. The method according to claim 26 further comprising steps of:
    - associating each of said control data messages with a corresponding one of said service providers; and
      
      selecting one or more of said message templates in response to the corresponding one of said service providers.
  - 29. The method according to claim 26 wherein each of said templates corresponds to an appropriate one of (i) call progress flow and (ii) transaction processing protocol.
  - 30. The method according to claim 26 wherein said templates define message formats, parameters values and relationships among messages, parameters and values associated with control message types selected from MTP, SCCP, ISUP, TCAP and AIN type messages.
  - 31. The method according to claim 26 further comprising a step of selecting said sets of templates in response to service provider authorization data associated with respective ones of said control data messages.
  - 32. The method according to claim 26 further including a step of selectively (i) enabling and inhibiting a signaling gateway from exchanging and (ii) modifying so as to bring into conformance with expectations said control data messages between said remote communication network and said signaling communication system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Services Corporation (Verizon Communications Inc.)
Inventors
Doskow, Arthur, Jarosinski, Kathleen F., Hetz, Harry A.
Primary Examiner(s)
Nguyen; Quynh H.

Application Number

US09/767,902
Time in Patent Office

2,225 Days
Field of Search

379/189, 379/221.08, 379/221.09, 379/221.1, 726/11, 726/12, 726/13, 726/14, 726/15, 726/26, 726/27, 726/30, 370/352, 370/522
US Class Current

379/221.1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04M 7/126   Interworking of session con...

H04Q 3/0025   Provisions for signalling

Method of and apparatus for mediating common channel signaling message between networks using control message templates

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Method of and apparatus for mediating common channel signaling message between networks using control message templates

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others