Stateful and cross-protocol intrusion detection for voice over IP

US 7,814,547 B2
Filed: 08/28/2008
Issued: 10/12/2010
Est. Priority Date: 09/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising generating an intrusion alert based on the state of a first protocol and the state of a second protocol.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting intrusions that employ messages of two or more protocols is disclosed. Such intrusions might occur in Voice over Internet Protocol (VoIP) systems, as well as in systems in which two or more protocols support some service other than VoIP. In the illustrative embodiment of the present invention, a stateful intrusion-detection system is capable of employing rules that have cross-protocol pre-conditions. The illustrative embodiment can use such rules to recognize a variety of VoIP-based intrusion attempts, such as call hijacking, BYE attacks, etc. In addition, the illustrative embodiment is capable of using such rules to recognize other kinds of intrusion attempts in which two or more protocols support a service other than VoIP. The illustrative embodiment also comprises a stateful firewall that is capable of employing rules with cross-protocol pre-conditions.

17 Citations

View as Search Results

20 Claims

1. A method comprising generating an intrusion alert based on the state of a first protocol and the state of a second protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising blocking a message from reaching its destination in response to said intrusion alert.
  - 3. The method of claim 1 wherein said first protocol and said second protocol are application-layer protocols.
  - 4. The method of claim 1 wherein said first protocol is the Session Initiation Protocol and wherein said second protocol is the Real-time Transport Protocol.
  - 5. The method of claim 1 wherein said first protocol and said second protocol support a service.
  - 6. The method of claim 5 wherein said service is Voice over Internet Protocol.
  - 7. The method of claim 1 wherein said first protocol belongs to a first session, and wherein said second protocol belongs to a second session.
  - 8. The method of claim 7 wherein said first session and said second session belong to a call.

9. A method comprising generating an intrusion alert when the state of a first protocol and the state of a second protocol match a rule in a rule base.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9 further comprising blocking a message from reaching its destination in response to said signal.
  - 11. The method of claim 9 wherein said first protocol and said second protocol are application-layer protocols.
  - 12. The method of claim 9 wherein said first protocol is the Session Initiation Protocol and wherein said second protocol is the Real-time Transport Protocol.
  - 13. The method of claim 9 wherein said first protocol and said second protocol support a service.
  - 14. The method of claim 13 wherein said service is Voice over Internet Protocol.
  - 15. The method of claim 9 wherein said first protocol belongs to a first session, and wherein said second protocol belongs to a second session.
  - 16. The method of claim 15 wherein said first session and said second session belong to a transaction.

17. An intrusion-detection system comprising:
- a message processor for inspecting incoming messages; and
  
  a rule base comprising a rule;
  
  wherein said rule specifies a condition concerning the state of a first protocol and the state of a second protocol.
- View Dependent Claims (18, 19, 20)
- - 18. The intrusion-detection system of claim 17 wherein said condition specifies a first state for said first protocol and a second state for said second protocol, and wherein said rule also specifies one or more actions to be performed when said condition holds.
  - 19. The intrusion-detection system of claim 18 wherein said one or more actions comprises at least one of:
    - (i) generating an intrusion alert, and(ii) blocking a message from reaching its destination.
  - 20. The intrusion-detection system of claim 17 wherein said first protocol executes within a first session, and wherein said second protocol executes within a second session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arlington Technologies, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
Avaya Incorporated
Inventors
Garg, Sachin, Wu, Yu-Sung, Tsai, Timothy Kohchih, Singh, Navjot, Bagchi, Saurabh
Primary Examiner(s)
SMITHERS, MATTHEW

Application Number

US12/200,069
Publication Number

US 20080313737A1
Time in Patent Office

775 Days
Field of Search

713/152, 713/154
US Class Current

726/23
CPC Class Codes

H04L 63/1433 Vulnerability analysis

Stateful and cross-protocol intrusion detection for voice over IP

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Stateful and cross-protocol intrusion detection for voice over IP

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links