Telephony extension attack detection, recording, and intelligent prevention
First Claim
1. A method of protecting communication services of a communication enterprise, said method comprising the steps of:
- detecting, by a processor, a perceived extension attack in the form of a call directed to one or more extensions within the communication enterprise, said detecting including analyzing at least one attribute of the call;
classifying, by a processor, a risk associated with the call based upon the analysis of the at least one attribute;
taking, by a processor, a remedial action to thwart the perceived attack according to the risk associated with the call; and
said detecting by a processor comprises (i) creating an algorithm, (ii) applying the algorithm to a first media stream of the call, (iii) generating a first media hash value reflective of the first media stream content, (iv) applying the algorithm to a second media stream of a subsequent call directed to the communications enterprise, (v) generating a second media hash value reflective of the second media stream, (vi) comparing the first and second hash values, and (vii) taking the remedial action if the first and second hash values fall within a pre-designated range.
28 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for detecting extension attacks made to a communication enterprise, and taking appropriate remedial action to prevent ongoing attacks and future attacks. One or more attributes of a suspect call are analyzed, and a risk is associated with each analyzed attribute. An overall risk or assessment is then made of the analyzed attributes, attack attributes are logged, and one or more remedial actions may be triggered as a result of the analyzed call attributes. The remedial actions may include recording the call, notifying an administrator of a suspect call, or isolating the communication enterprise from the attack by terminating the call or shutting down selected communication endpoints to prevent calls being made to those extensions. Rules may be applied to the analyzed attributes in order to trigger the appropriate remedial action. The call attributes analyzed may include call destination, call direction, call type, time of day of the call, call duration, whether a call source is spoofed, call volume from a particular call source, and hash values created for a suspect media stream.
52 Citations
29 Claims
-
1. A method of protecting communication services of a communication enterprise, said method comprising the steps of:
-
detecting, by a processor, a perceived extension attack in the form of a call directed to one or more extensions within the communication enterprise, said detecting including analyzing at least one attribute of the call; classifying, by a processor, a risk associated with the call based upon the analysis of the at least one attribute; taking, by a processor, a remedial action to thwart the perceived attack according to the risk associated with the call; and said detecting by a processor comprises (i) creating an algorithm, (ii) applying the algorithm to a first media stream of the call, (iii) generating a first media hash value reflective of the first media stream content, (iv) applying the algorithm to a second media stream of a subsequent call directed to the communications enterprise, (v) generating a second media hash value reflective of the second media stream, (vi) comparing the first and second hash values, and (vii) taking the remedial action if the first and second hash values fall within a pre-designated range. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A communication system, comprising:
-
a communication server interconnected to a communication network, said communication server receiving communications through the network from at least one attack source; a first communication device having an address, and receiving communications from said network through said communication server; and an extension attack prevention application associated with said communication server, wherein said application analyzes call attributes of a call, assigns a risk associated with the call, and proposes a remedial action to thwart a perceived attack when said assigned risk fulfills criteria for a predetermined remedial action, said extension attack prevention application comprising an algorithm applied to a first media stream of the call to generate a first media hash value, and applying the algorithm to a second media stream of a subsequent call to generate a second media hash value, and means for comparing the first and second hash values for taking a remedial action if the first and second hash values fall within a pre-designated range. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus for protecting communication resources of a communication enterprise, said apparatus comprising:
-
a processor; programming instructions executed by said processor, said programming instructions including an extension attack prevention application wherein said application detects attributes of a suspect call, logs the attributes, assigns a risk to each of a plurality of the attributes associated with the suspect call, and provides recommendations for remedial actions to be taken to thwart a perceived attack; a processor readable memory associated with execution of the programming instructions, and for storage of data and said programming instructions; at least one input device for manipulating said programming instructions, and for interfacing with outputs generated from said device in response to perceived attacks; and wherein said attributes include a media hash value and a spoofed call source. - View Dependent Claims (29)
-
-
20. A system for protecting communication resources of a communication enterprise, said system comprising:
-
a communication server for interfacing with a communication network, said communication server receiving and routing incoming communications, and facilitating transmission of communications with respect to addressed communication devices; means incorporated within said communication server for protecting the communication resources from extension attacks sent by one or more attack sources through the communication network, said means for protecting including; (i) means for detecting an extension attack; (ii) means for assigning a risk associated with the attack; (iii) means for taking a remedial action based on the assigned risk to thwart the attack; and (iv) said means for detecting comprises (i) creating an algorithm, (ii) applying the algorithm to a first media stream of the call, (iii) generating a first media hash value reflective of the first media stream content, (iv) applying the algorithm to a second media stream of a subsequent call directed to the communications enterprise, (v) generating a second media hash value reflective of the second media stream and (vi) comparing the first and second hash values. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
Specification