Dual use counters for routing loops and spam detection
First Claim
1. A method for detecting an undesirable condition within a messaging network, comprising:
- receiving a message from a source;
incrementing a source counter and updating an array of timestamps with a new entry corresponding to a time at which the message from the source was received, the array of timestamps including a timestamp entry for each respective source counter increment, and further including more than two timestamps for a given source;
iterating through the array of timestamps to access all source counters and associated timestamps;
removing entries in the array of timestamps that are older than a fixed window size while leaving entries in the array of timestamps that are not older than the fixed window size, and decrementing the source counter for each entry so removed;
comparing the source counter to a source threshold; and
when the source counter exceeds the source threshold, triggering an alarm indicative of an undesirable condition.
3 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting an undesirable condition within a messaging network. A message is received and a source of the message is identified. If an entry in a database for the source has not been created, an entry is created. A source counter for the source is then set to one and a timestamp is created for the source. If an entry in the database for the source has been previously created, the source counter is incremented by one and the timestamp is updated. The source counter is then compared to a source threshold, and if the source counter exceeds the source threshold over the course of predetermined amount of time, a source alarm is triggered. A sliding with respect to the predetermined amount of time may also be implemented to account for total counts that may fall across or be split by set periods of time. The invention is particularly useful for detecting “spam” events and undesirable routing loops.
-
Citations
16 Claims
-
1. A method for detecting an undesirable condition within a messaging network, comprising:
-
receiving a message from a source; incrementing a source counter and updating an array of timestamps with a new entry corresponding to a time at which the message from the source was received, the array of timestamps including a timestamp entry for each respective source counter increment, and further including more than two timestamps for a given source; iterating through the array of timestamps to access all source counters and associated timestamps; removing entries in the array of timestamps that are older than a fixed window size while leaving entries in the array of timestamps that are not older than the fixed window size, and decrementing the source counter for each entry so removed; comparing the source counter to a source threshold; and when the source counter exceeds the source threshold, triggering an alarm indicative of an undesirable condition. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting a spam event in a messaging network, comprising:
-
monitoring message traffic in the messaging network; for a source address associated with a message, creating an entry in a database, setting a source address counter for that source address to a predetermined number and storing a timestamp array including a time at which the message was received, and incrementing the source counter when the source address is again detected and updating the timestamp array with a new timestamp entry corresponding to at time at which the source address was again detected, wherein the timestamp array includes more than two timestamps for a given source address; iterating through the array of timestamps to access all source counters and associated timestamps; removing entries in the timestamp array that are older than a fixed window size while leaving entries in the timestamp array that are not older than the fixed window size, and decrementing the source counter for each entry so removed; and comparing the source counter for a given source address to a source threshold; and when the source counter exceeds the source threshold, triggering an alarm indicative of a spam event. - View Dependent Claims (9, 10, 11)
-
-
12. A method of detecting a routing loop in a telecommunications network, comprising:
-
monitoring message traffic passing through an intermediary interconnecting at least two telecommunication service providers; as message traffic passes through the intermediary, setting a source address counter to a predetermined number and storing a timestamp corresponding to a time at which a first message passed through the intermediary, incrementing the source address counter and adding a new timestamp to an array of timestamps each time the first message passes through the intermediary, wherein the array of timestamps includes more than two timestamps for a given source address; as message traffic passes through the intermediary, setting a destination address counter to a predetermined number and storing a timestamp corresponding to a time at which a second message passed through the intermediary, incrementing the destination address counter and adding a new timestamp to another array of timestamps each time the second message passes through the intermediary; comparing the source address counter and destination address counter for a given source address and a given destination address, respectively to a source address threshold and destination address threshold; iterating through the arrays of timestamps to access all source and destination counters and associated timestamps and removing entries in the array of timestamps that are older than a fixed window size while leaving entries in the array of timestamps that are not older than the fixed window size; and when the source address counter and destination address counter, respectively exceed the source address threshold and destination address threshold over the course of a predetermined amount of time, triggering an alarm indicative of a routing loop. - View Dependent Claims (13, 14, 15, 16)
-
Specification