Method for malicious traffic recognition in IP networks with subscriber identification and notification

US 7,676,217 B2
Filed: 11/21/2005
Issued: 03/09/2010
Est. Priority Date: 01/31/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for recognizing malicious traffic in a mobile network comprising:

identifying a mobile subscriber by a permanent mobile subscriber identity;

detecting the malicious traffic to identify an IP address temporarily associated with the mobile subscriber;

matching the identity of the mobile subscriber to the malicious traffic by matching the permanent mobile subscriber identity identified to the IP address temporarily associated with the mobile subscriber as identified from the malicious traffic detected; and

based on the result of matching the identity of the mobile subscriber to the malicious traffic, notifying the mobile subscriber with the identity of the mobile subscriber of the malicious traffic associated with the mobile subscriber by using the permanent mobile subscriber identity and not the IP address temporarily associated with the mobile subscriber.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for recognizing malicious traffic in IP networks coupled with an identification and notification of a mobile subscriber generating or receiving malicious traffic is provided. An embodiment of the present invention may include intrusively or non-intrusively monitoring in real-time the mobile subscriber'"'"'s data traffic for malicious traffic as well as mobile security intrusion attempts. Another embodiment of the present invention may report the identification of those mobile subscribers generating or receive malicious traffic to an operator. By knowing the identity of the mobile subscriber, an embodiment of the present invention may block the mobile subscriber'"'"'s subscription or alert the mobile subscriber in question about the malicious traffic. One embodiment of the present invention may be applied to mobile networks where the mobile subscriber'"'"'s identity is known by an unique identifier (e.g., an IMSI or a phone number) and where a notification system may be implemented using a messaging service e.g., SMS, MMS, IM, email, or voice.

44 Citations

View as Search Results

33 Claims

1. A method for recognizing malicious traffic in a mobile network comprising:
- identifying a mobile subscriber by a permanent mobile subscriber identity;
  
  detecting the malicious traffic to identify an IP address temporarily associated with the mobile subscriber;
  
  matching the identity of the mobile subscriber to the malicious traffic by matching the permanent mobile subscriber identity identified to the IP address temporarily associated with the mobile subscriber as identified from the malicious traffic detected; and
  
  based on the result of matching the identity of the mobile subscriber to the malicious traffic, notifying the mobile subscriber with the identity of the mobile subscriber of the malicious traffic associated with the mobile subscriber by using the permanent mobile subscriber identity and not the IP address temporarily associated with the mobile subscriber.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein the mobile subscriber identity is selected from a group consisting of an IMSI, a MSIDN, a phone number and a login name.
  - 3. The method of claim 2 wherein matching includes capturing the permanent mobile subscriber identity from a message selected from a group consisting of a PDP context request message and a RADIUS accounting packet.
  - 4. The method of claim 2 wherein matching includes querying the permanent mobile subscriber identity from a network element selected from a group consisting of a Charging Gateway, a Gateway GRRS Support Node, a Serving GPRS Support Node, a RADIUS server, and a Home Location Registry.
  - 5. The method of claim 1 wherein the mobile subscriber is notified by a notification.
  - 6. The method of claim 5 wherein the notification is selected from a group consisting of a SMS message, a MMS message, a IM message, a phone call, a Push-to-Talk message, and e-mail message, a voice mail message, a WAP redirection and a HTTP redirection.
  - 7. The method of claim 1 wherein the malicious traffic associated with the mobile subscriber is selected from at least one of a group consisting of a malicious traffic sent by the mobile subscriber and a malicious traffic received by the mobile subscriber.
  - 8. The method of claim 1 further comprising:
    - notifying a content server to create a web page displaying a message based on the malicious traffic associated with the mobile subscriber; and
      
      notifying a redirecting network element to redirect the mobile subscriber to the web server.
  - 9. The method of claim 8 wherein the message displayed is selected from a group consisting of a warning to desist and an instruction to disinfect.
  - 10. The method of claim 8 wherein the redirecting network element is selected from a group consisting of a Domain Name Server and an Internet Protocol router.
  - 11. The method of claim 1, further comprising notifying an administrative system of the malicious traffic associated with the mobile subscriber.
  - 12. The method of claim 1, further comprising notifying a network element which disables a mobile data account of the mobile subscriber temporarily or permanently.
  - 13. The method of claim 1, further comprising sending at least one session detail to a database system when the malicious traffic associated with the mobile subscriber is detected.
  - 14. The method of claim 13 wherein the session details is selected for at least one of a group consisting of a phone number, an IP address, a session timestamp, a number of packets sent, a number of bytes sent, and an identification of malicious activity.
  - 15. The method of claim 1 wherein the notifying step the mobile subscriber uses using a first method different from a second method used for communicating malicious traffic.
  - 16. The method of claim 1 wherein the notifying step is carried out by using a method native to an air interface used for sending messages to the mobile subscriber.
  - 17. The method of claim 16 wherein the detecting step is carried outside a radio area network.
  - 18. The method of claim 1 wherein matching includes matching the permanent mobile subscriber identity identified to the IP address temporarily associated with the mobile subscriber as identified from the malicious traffic detected and a time the malicious traffic was detected to form the match;
    - andwherein notifying includes based on the match formed, notifying the mobile subscriber using the permanent mobile subscriber identity of the match even if the IP address identified, once associated with the mobile subscriber at the time the malicious traffic was detected, is no longer valid.
  - 19. The method of claim 1 wherein notifying includes notifying the mobile subscriber of the malicious traffic using any one of SMS, MMS, IM, voice, email, and Push to Talk.
  - 20. The method of claim 1 wherein notifying includes in response to any one of HTTP GET and WAP GET, redirecting the mobile subscriber to a webpage notification of the malicious traffic.

21. A method for recognizing malicious traffic in an IP network comprising:
- given an IP packet used to identify a mobile subscriber and other IP packets, analyzing each IP packet having a first portion and a second portion, the first portion having a source IP address and a destination IP address;
  
  identifying a mobile subscriber by a permanent mobile subscriber identity from the second portion of the IP packet used to identify the mobile subscriber;
  
  detecting the malicious traffic to identify an IP address temporarily associated with the mobile subscriber from the second portion of the other IP packets;
  
  matching the identity of the mobile subscriber to the malicious traffic by matching the permanent mobile subscriber identity to the IP address temporarily associated with the mobile subscriber as identified from the malicious traffic detected to form a match; and
  
  based on the result of matching the identity of the mobile subscriber to the malicious traffic, notifying the mobile subscriber with the identity of the mobile subscriber of the malicious traffic associated with the mobile subscriber using the permanent mobile subscriber identity and not the IP address temporarily associated with the mobile subscriber from the second portion of the IP packet.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 22. The method of claim 21 wherein the second portion of the IP packet used to identify the mobile subscriber is selected from a group consisting of a PDP context activation message and a RADIUS accounting packet.
  - 23. The method of claim 21 wherein the mobile subscriber is notified by a notification.
  - 24. The method of claim 23 wherein the notification is selected from a group consisting of a SMS message, a MMS message, a IM message, a phone call, a Push-to-Talk message, an email message, a voice mail message, a WAP redirection and a HTTP redirection.
  - 25. The method of claim 21 wherein the IP packet used to identify the mobile subscriber is sent over an interface selected from a group consisting of a Gn interface, and a Pi interface.
  - 26. The method of claim 21 wherein the malicious traffic associated with the mobile subscriber is selected from at least one of a group consisting of a malicious traffic sent by the mobile subscriber and a malicious traffic received by the mobile subscriber.
  - 27. The method of claim 21 further comprising:
    - notifying a web server to create a web page displaying a message based on the malicious traffic associated with the mobile subscriber; and
      
      notifying a redirecting network element to redirect the mobile subscriber to the web server.
  - 28. The method of claim 27 wherein the message displayed is selected from a group consisting of a warning to desist and an instruction to disinfect.
  - 29. The method of claim 27 wherein the redirecting network element is selected from a group consisting of a Domain Name Server and an Internet Protocol router.
  - 30. The method of claim 21 further comprising notifying an administrative system of the malicious traffic associated with the mobile subscriber.
  - 31. The method of claim 21 further comprising notifying a network element which disables a mobile data account of the mobile subscriber temporarily or permanently.
  - 32. The method of claim 21 further comprising sending at least one session detail to a database system when the malicious traffic associated with the mobile subscriber is detected.
  - 33. The method of claim 32 wherein the session details is selected for at least one of a group consisting of a phone number, an IP address, a session timestamp, a number of packets sent, and a number of bytes sent, and an identification of malicious activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Theta Networks Incorporated
Original Assignee
The Theta Networks Incorporated
Inventors
Boquillod, Yann, Zhu, Shouyu
Primary Examiner(s)
Pérez-Gutiérrez; Rafael
Assistant Examiner(s)
Miah; Liton

Application Number

US11/285,790
Publication Number

US 20060174028A1
Time in Patent Office

1,569 Days
Field of Search

455/410, 455/411, 455/412.2, 726 22- 24, 709/224
US Class Current

455/411
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Method for malicious traffic recognition in IP networks with subscriber identification and notification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method for malicious traffic recognition in IP networks with subscriber identification and notification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links