Telephony extension attack detection, recording, and intelligent prevention

US 7,653,188 B2
Filed: 10/04/2005
Issued: 01/26/2010
Est. Priority Date: 07/20/2005
Status: Active Grant

First Claim

Patent Images

1. A method of protecting communication services of a communication enterprise, said method comprising the steps of:

detecting, by a processor, a perceived extension attack in the form of a call directed to one or more extensions within the communication enterprise, said detecting including analyzing at least one attribute of the call;

classifying, by a processor, a risk associated with the call based upon the analysis of the at least one attribute;

taking, by a processor, a remedial action to thwart the perceived attack according to the risk associated with the call; and

said detecting by a processor comprises (i) creating an algorithm, (ii) applying the algorithm to a first media stream of the call, (iii) generating a first media hash value reflective of the first media stream content, (iv) applying the algorithm to a second media stream of a subsequent call directed to the communications enterprise, (v) generating a second media hash value reflective of the second media stream, (vi) comparing the first and second hash values, and (vii) taking the remedial action if the first and second hash values fall within a pre-designated range.

View all claims

28 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for detecting extension attacks made to a communication enterprise, and taking appropriate remedial action to prevent ongoing attacks and future attacks. One or more attributes of a suspect call are analyzed, and a risk is associated with each analyzed attribute. An overall risk or assessment is then made of the analyzed attributes, attack attributes are logged, and one or more remedial actions may be triggered as a result of the analyzed call attributes. The remedial actions may include recording the call, notifying an administrator of a suspect call, or isolating the communication enterprise from the attack by terminating the call or shutting down selected communication endpoints to prevent calls being made to those extensions. Rules may be applied to the analyzed attributes in order to trigger the appropriate remedial action. The call attributes analyzed may include call destination, call direction, call type, time of day of the call, call duration, whether a call source is spoofed, call volume from a particular call source, and hash values created for a suspect media stream.

52 Citations

View as Search Results

29 Claims

1. A method of protecting communication services of a communication enterprise, said method comprising the steps of:
- detecting, by a processor, a perceived extension attack in the form of a call directed to one or more extensions within the communication enterprise, said detecting including analyzing at least one attribute of the call;
  
  classifying, by a processor, a risk associated with the call based upon the analysis of the at least one attribute;
  
  taking, by a processor, a remedial action to thwart the perceived attack according to the risk associated with the call; and
  
  said detecting by a processor comprises (i) creating an algorithm, (ii) applying the algorithm to a first media stream of the call, (iii) generating a first media hash value reflective of the first media stream content, (iv) applying the algorithm to a second media stream of a subsequent call directed to the communications enterprise, (v) generating a second media hash value reflective of the second media stream, (vi) comparing the first and second hash values, and (vii) taking the remedial action if the first and second hash values fall within a pre-designated range.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method, as claimed in claim 1, further including the steps of:
    - recording the call; and
      
      alerting an administrator of the communication enterprise of a type and risk associated with the call enabling the administrator to influence the remedial action taken.
  - 3. A method, as claimed in claim 1, wherein:
    - said detecting comprises detecting a spoofed call source by comparing a source ID attribute of the spoofed call to an actual call source ID wherein a look-up or reverse look-up is conducted to determine the actual call source.
  - 4. A method, as claimed in claim 1, wherein:
    - said detecting comprises analyzing call sequences sent from a call source to the enterprise, and taking the remedial action if the call sequences match a predetermined objectionable call sequence.
  - 5. A method, as claimed in claim 1, wherein:
    - said detecting comprises detecting calls sent to unadministered numbers in the enterprise, and taking the remedial action if the number of calls to the unadministered numbers reach an objectionable predetermined value.
  - 6. A method, as claimed in claim 1, wherein:
    - said detecting step comprises analyzing the time of day when calls are sent from a call source, and taking the remedial action if the number of calls received after normal hours of operation exceed a predetermined number of calls.
  - 7. A method, as claimed in claim 1, wherein:
    - said detecting comprises analyzing a call source, and determining whether the called source is fax, voice or modem.
  - 8. A method, as claimed in claim 1, wherein:
    - said detecting comprises determining whether a call is made from an extension within the enterprise.
  - 9. A method, as claimed in claim 1, wherein:
    - said detecting comprises detecting whether a plurality of calls from a call source have single or multiple durations.
  - 10. A method, as claimed in claim 1, wherein:
    - said detecting comprises detecting the number of calls received from a call source and determining whether the number of calls received comprises an objectionable number of calls.

11. A communication system, comprising:
- a communication server interconnected to a communication network, said communication server receiving communications through the network from at least one attack source;
  
  a first communication device having an address, and receiving communications from said network through said communication server; and
  
  an extension attack prevention application associated with said communication server, wherein said application analyzes call attributes of a call, assigns a risk associated with the call, and proposes a remedial action to thwart a perceived attack when said assigned risk fulfills criteria for a predetermined remedial action, said extension attack prevention application comprising an algorithm applied to a first media stream of the call to generate a first media hash value, and applying the algorithm to a second media stream of a subsequent call to generate a second media hash value, and means for comparing the first and second hash values for taking a remedial action if the first and second hash values fall within a pre-designated range.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. A system, as claimed in claim 11, wherein:
    - said extension attack prevention application detects a spoofed call source by comparing a source of the spoofed call to an actual call source wherein a look-up or reverse lookup is conducted to determine the actual call source.
  - 13. A system, as claimed in claim 11, wherein:
    - said extension attack prevention application includes at least one rule applied to attributes of the call analyzed for being an extension attack, said attributes including at least one of a call duration, a call direction, a call type, a time of day, a call destination, a spoofed call source, and a number of calls received from a call source of the call, said rule being associated with determining whether to take the remedial action.
  - 14. A system, as claimed in claim 11, wherein:
    - said extension attack prevention application assesses an overall risk associated with the call, said assessment comprises an analysis of a plurality of attributes of the call, said attributes including at least one of a media hash value, a call duration, a call direction, a call type, a time of day, a call destination, a spoofed call source, and a number of calls received from a call source of the call.
  - 15. A system, as claimed in claim 14, wherein:
    - said assessment includes a computation applied to at least one of said call attributes, and assigning a risk associated with at least one analyzed call attribute.
  - 16. A system, as claimed in claim 11, wherein:
    - said extension attack prevention application notifies an administrator of the communication system of the perceived attack and an assigned risk associated with the attack thereby enabling the administrator to intervene the remedial action taken.
  - 17. A system, as claimed in claim 11, wherein:
    - said extension attack prevention application includes executable programming instructions incorporated within said communication server, at least one database associated with said programming instructions, wherein said programming instructions are modified over time to alter the assignment of risks associated with attacks based at least in part on historical analysis of previously occurring extension attacks.
  - 18. A system, as claimed in claim 16, wherein:
    - said application includes an interactive voice response application incorporated in said communication server wherein the administrator is provided multiple options in generating an appropriate remedial action by selecting a remedial action option.

19. An apparatus for protecting communication resources of a communication enterprise, said apparatus comprising:
- a processor;
  
  programming instructions executed by said processor, said programming instructions including an extension attack prevention application wherein said application detects attributes of a suspect call, logs the attributes, assigns a risk to each of a plurality of the attributes associated with the suspect call, and provides recommendations for remedial actions to be taken to thwart a perceived attack;
  
  a processor readable memory associated with execution of the programming instructions, and for storage of data and said programming instructions;
  
  at least one input device for manipulating said programming instructions, and for interfacing with outputs generated from said device in response to perceived attacks; and
  
  wherein said attributes include a media hash value and a spoofed call source.
- View Dependent Claims (29)
- - 29. The apparatus as claimed in claim 19, wherein:
    - said programming instructions;
      
      (i) creates an algorithm,(ii) applies the algorithm to a first media stream of the suspect call,(iii) generates a first media hash value reflective of the first media stream content,(iv) applies the algorithm to a second media stream of a subsequent suspect call directed to the communications enterprise,(iv) generates a second media hash value reflective of the second media stream,(v) compares the first and second hash values, and(vi) causes implementation of a selected remedial action when the first and second hash values fall within a pre-designated range.

20. A system for protecting communication resources of a communication enterprise, said system comprising:
- a communication server for interfacing with a communication network, said communication server receiving and routing incoming communications, and facilitating transmission of communications with respect to addressed communication devices;
  
  means incorporated within said communication server for protecting the communication resources from extension attacks sent by one or more attack sources through the communication network, said means for protecting including;
  
  (i) means for detecting an extension attack;
  
  (ii) means for assigning a risk associated with the attack;
  
  (iii) means for taking a remedial action based on the assigned risk to thwart the attack; and
  
  (iv) said means for detecting comprises (i) creating an algorithm, (ii) applying the algorithm to a first media stream of the call, (iii) generating a first media hash value reflective of the first media stream content, (iv) applying the algorithm to a second media stream of a subsequent call directed to the communications enterprise, (v) generating a second media hash value reflective of the second media stream and (vi) comparing the first and second hash values.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. A system, as claimed in claim 20, wherein:
    - said means for detecting includes detecting a spoofed call source by comparing a source of the spoofed call to an actual call source, wherein a reverse lookup is conducted to determine the actual call source.
  - 22. A system, as claimed in claim 20, wherein:
    - said means for detecting comprises analyzing call sequences sent from a call source to the enterprise, and taking the remedial action if the call sequences match a predetermined objectionable call sequence.
  - 23. A system, as claimed in claim 20, wherein:
    - said means for detecting comprises detecting calls sent to unadministered numbers in the enterprise, and taking the remedial action if the number of calls to the unadministered numbers reach an objectionable predetermined value.
  - 24. A system, as claimed in claim 20, wherein:
    - said means for detecting comprises analyzing the time of day when calls are sent from a call source, and taking the remedial action if the number of calls received after normal hours of operation exceed a predetermined number of calls.
  - 25. A system, as claimed in claim 20, wherein:
    - said means for detecting comprises analyzing a call source, and determining whether the call source is fax, voice or modem.
  - 26. A system, as claimed in claim 20, wherein:
    - said means for detecting comprises determining whether a call is made from an extension within the enterprise.
  - 27. A system, as claimed in claim 20, wherein:
    - said means for detecting comprises detecting whether a plurality of calls from a call source have a single or multiple durations.
  - 28. A system, as claimed in claim 20, wherein:
    - said means for protecting includes executable programming instructions incorporated within said communication server at least when data base associated with said programming instructions, wherein said programming instructions are modified over time to alter the assignment of risks associated with attacks based at least in part on historical analysis of previously occurring extension attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arlington Technologies, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
Avaya Incorporated
Inventors
Kloberdans, Michael James, Walton, John Michael
Primary Examiner(s)
Tieu; Binh K

Application Number

US11/243,753
Publication Number

US 20070036314A1
Time in Patent Office

1,575 Days
Field of Search

379/114.14, 379/143, 379/145, 379188-189, 379191-192, 379/198, 707/200, 370356-360, 726/23, 709/224
US Class Current

379/145
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 65/1079   of unsolicited session atte...

H04M 3/436   Arrangements for screening ...

H04M 7/006   Networks other than PSTN/IS...

Telephony extension attack detection, recording, and intelligent prevention

First Claim

28 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Telephony extension attack detection, recording, and intelligent prevention

First Claim

28 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links